How to Configure Exchange Server 2010 Outlook Anywhere

In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users.

Outlook Anywhere is a much better solution for remote email access than POP or IMAP because the end user experience is the same when the user is using Outlook on the LAN or remotely. Thanks to SSL encryption Outlook Anywhere is also inherently more secure than other protocols that have non-encrypted options that companies often deploy.

What is Outlook Anywhere?

Outlook Anywhere is a service provided by the Client Access server role that allows Outlook clients to make a secure connection over SSL/HTTPS to the mailbox from remote locations.  Previously this was known as RPC-over-HTTPS but was renamed to Outlook Anywhere in Exchange 2007 and 2010.

By wrapping normal Outlook RPC requests in HTTPS the connections are able to traverse firewalls over the common SSL/HTTPS port without requiring the RPC ports to be opened.

There are three main tasks to deploy Outlook Anywhere in an Exchange environment:

  • Enable and configure Outlook Anywhere on the Client Access server
  • Configure the perimeter firewall to allow SSL/HTTPS connections from external networks to the Client Access server
  • Configure the Outlook clients to use Outlook Anywhere when connecting from remote networks

Enable Outlook Anywhere on Exchange Server 2010

In the Exchange Management Console navigate to Server Configuration -> Client Access, and select the Client Access server you want to enable for Outlook Anywhere.

If you have multiple Client Access servers in an Active Directory site then choose the one that is the internet-facing Client Access server.  Or if you have deployed a CAS array you will need to repeat this process on all members of the array.

Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere

Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere

With the server selected, in the action pane of the Exchange Management Console click on Enable Outlook Anywhere.

Enable Outlook Anywhere for Exchange Server 2010

Enable Outlook Anywhere for Exchange Server 2010

The Enable Outlook Anywhere wizard launches.  Enter the external host name for Outlook Anywhere users to use when connecting remotely to Exchange, and choose an authentication method.

Configure Outlook Anywhere for Exchange Server 2010

Configure Outlook Anywhere for Exchange Server 2010

The external host name you choose should ideally be one that is already included in the Exchange certificate configured on the Client Access server.  Otherwise you will need to create a new certificate for Exchange.

The Outlook Anywhere authentication method you choose will depend on a few factors in your environment.

  • Basic Authentication – this requires that Outlook users enter their username and password each time they connect to Outlook Anywhere.  The credentials are sent in clear text so therefore it is critical that Outlook Anywhere connections only occur over SSL/HTTPS.  You may need to choose Basic Authentication if the connecting computers are not members of the domain, if the ISA Server publishing rule and listener are shared with other Exchange services that require Basic Authentication, or if the firewall being used does not support NTLM authentication.
  • NTLM Authentication – this is ideal for connecting clients that are domain members because the username and password will not need to be entered by the user each time they connect.  However NTLM may not work with some firewalls or ISA Server publishing scenarios.

When you have configured the Outlook Anywhere settings click Enable to continue, and then click Finish to close the wizard.

The Outlook Anywhere configuration for Exchange 2010 will take effect within 15 minutes of completing the wizard.  The Application Event Log will record Event ID 3008 and a series of other events when the configuration has been applied to the server.

Configure the Firewall for Exchange Server 2010 Outlook Anywhere

To enable remote Outlook users to connect to Outlook Anywhere the perimeter firewall for the network must be configured to allow the SSL/HTTPS connections to pass through to the Client Access server.

The precise steps for this will depend on which firewall you are using in your environment.  However the basic components of this configuration are:

  • A public DNS record for the external host name you are using for Outlook Anywhere
  • A public IP address on the firewall that the public DNS record resolves to
  • A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server
Exchange Server 2010 Outlook Anywhere Firewall Overview

Exchange Server 2010 Outlook Anywhere Firewall Overview

If you are running an internet-facing Exchange Server 2010 CAS array then you would configure the firewall rule to direct traffic to the CAS array IP address.

Configure Outlook Clients for Exchange Server 2010 Outlook Anywhere

Before an Outlook client can connect to Outlook Anywhere it needs to be configured with the correct settings.  In Outlook 2010 open the Account Settings for the Outlook profile that is configured.

Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere

Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere

Double-click to open the properties of the Exchange Server profile that is configured.

Outlook 2010 Exchange Server Profile Settings

Outlook 2010 Exchange Server Profile Settings

Click on More Settings, and then select the Connection tab of the settings dialog box that appears.

Outlook 2010 Connection Settings

Outlook 2010 Connection Settings

Tick the box to Connect to Microsoft Exchange using HTTP, and then click the Exchange Proxy Settings button.

Enable Outlook Anywhere in Outlook 2010

Enable Outlook Anywhere in Outlook 2010

Enter the External Host Name that was configured for Outlook Anywhere earlier on the Client Access server, and then configure the Proxy Authentication Settings to match the client authentication method chosen on the server.

Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010

Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010

Click OK, OK, Next and then Finish to apply the change to Outlook 2010.  You must restart Outlook for the new settings to take effect.

Now that Outlook 2010 has been configured for Exchange Server 2010 Outlook Anywhere, any time the user launches Outlook from a remote connection and can reach the perimeter firewall over the internet they will be able to securely access their mailbox as though they were still on the corporate network.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Hello, you are missing one part. What are we supposed to put in the Exchange Server box right above the user name??? It’s the first thing is asks you when you click profile properties.

  2. Great article guys!!!!!!

  3. Exchange reader says:

    Hello i think you missed out one thing here which is SSL for outlook anywhere could you update the same as well which will be usefull for the readers

  4. Looking for info of publishing outlook anywhere via TMG 2010 as opposed to a different firewall

  5. Can you help, please?

    What do i have to configure to support multiple outlook anywhere email domains with single Exchange 2010 site?
    e.g. webmail.domain.com, webmail.domain2.com, webmail.domain3.com

    Can i run like this (or to this effect via another configuration methods)?
    Enable-OutlookAnywhere -Server ‘CASarray’ -ExternalHostname ‘webmail.domain.com’, ‘webmail.domain2.com’, ‘webmail.domain3.com’ -DefaultAuthenticationMethod ‘NTLM’

    Thanks in advance.

  6. David Han says:

    Great article and helped me to setup my outlook anywhere deployment

  7. Dear Team,

    How are you? Hope you are fine, now I am facing 1 problem relate to outlook anywhere. I am using Windows Server 2008 R2, Exchange Server 2010. I had enable outlook anywhere on my server and I bough the certificate from DigiCert for my exchange server. But when I am using online tools for exchange connection testing “https://www.testexchangeconnectivity.com/”. I got the error as the below:

    Testing RPC/HTTP connectivity.
    The RPC/HTTP test failed.

    Test Steps

    Attempting to resolve the host name mail.thakral.com.kh in DNS.
    The host name resolved successfully.

    Additional Details
    IP addresses returned: 175.28.3.58
    Testing TCP port 443 on host mail.thakral.com.kh to ensure it’s listening and open.
    The port was opened successfully.
    Testing the SSL certificate to make sure it’s valid.
    The certificate passed all validation requirements.

    Test Steps

    ExRCA is attempting to obtain the SSL certificate from remote server mail.thakral.com.kh on port 443.
    ExRCA successfully obtained the remote SSL certificate.

    Additional Details
    Remote Certificate Subject: CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
    Validating the certificate name.
    The certificate name was validated successfully.

    Additional Details
    Host name mail.thakral.com.kh was found in the Certificate Subject Alternative Name entry.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.

    Test Steps

    ExRCA is attempting to build certificate chains for certificate CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH.
    One or more certificate chains were constructed successfully.

    Additional Details
    A total of 2 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.

    Additional Details
    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn’t expired.

    Additional Details
    The certificate is valid. NotBefore = 6/12/2012 12:00:00 AM, NotAfter = 6/19/2013 12:00:00 PM
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn’t detected.

    Additional Details
    Accept/Require Client Certificates isn’t configured.
    Testing HTTP Authentication Methods for URL https://mail.thakral.com.kh/rpc/rpcproxy.dll.
    The HTTP authentication methods are correct.

    Additional Details
    ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
    Attempting to ping RPC proxy mail.thakral.com.kh.
    RPC Proxy can’t be pinged.

    Additional Details
    A Web exception occurred because an HTTP 404 – NotFound response was received from IIS7.

    Please kindly help me to support me on that case. Now I has no solution to fix the exchange server for outlook anywhere yet. But for Exchange ActiveSync, it is working properly. THANK

  8. don’t forget to enable the rpc overt http feature or the outlook anywhere won’t work

  9. Hi sir,

    I have some queries,

    1 of my client is complaining that, while their external users trying to connect with outlook it takes 9-10 mins & after connecting to outlook when they try to send mail it takes 40-45 secs,
    there is not any issue with OWA,

    Please help me to resolve this issue,

  10. MY outlook does not have the option of outlook anywhere.im using POP/SMTP email configured with ip address.I need to access my mails every where i go, as long as am connected to any network.

  11. Hii,

    How to change my server outlook anywhere name? I im read and applying this article but I dont change my server name.

  12. Thank you so much. This saved my bacon in a training session with 30 users who were training on Tasks. We found out the day of training that our VPN connection would not be allowed through the guest network available at the training center. With your help we had it all set in 15 minutes and training could continue.

  13. After setting all the configuration above.i still get error message of invalid certificate.Cant we use self signed certificate for outlook use anywhere??
    What exactly is the procedure ogf generating self required certificate for use anywhere????

  14. Hi Paul,

    If you have FBA enabled on your TMG listener and OA is configured for NTLM, i believe i wont be able to authenticate through TMG. For some reason, the MS whitepaper implies that if you have a FBA Listener you will have only Basic Auth delegation available for OA.
    In my case FBA listener works with my OA rule only if i pass through TMG by configuring the Authentication delegation to No Authentication but clients may authenticate directly.

    I would like to keep FBA on TMG and NTLM on OA for my domain users, but this causes issues with the OAB (web-based) download when passing through TMG, causing a credentials pop-up box.

    Any ideas?

  15. Hi Paul,

    I need help. What are the requirements in setting up a outlook exchange server 2010? Such as; server (physical), domain (paid) and software…

    Thanks in advance

  16. Best secret I found in doing this is either create profile and resolve name on the LAN first or via VPN. Set up Mail Profile from Control Panel -> Mail (32 bit). Create profile and follow wizard, except check box for manual setup and use INTERNAL Exchange Server name, and “Check Name”. (This is when you would need to connect VPN first, if you’re not on the physical LAN.) When name comes back underlined (successfully resolved), go to More Settings button, and proceed to the tab to set up Outlook Anywhere proxy server (remote.yourdomain.com, in the case of SBS 2011 default.) Leave the LAN or disconnect the VPN and launch Outlook. You should be prompted for a login (domain\username format) and password. If this is your first time connecting Outlook on this machine, it’ll ask for your name and initials, then “preparing mailbox for first use” and so on until you are looking at your mailbox, FROM the Internet, no VPN required. Everything else in the original article is rock solid helpful. Thanks Paul!

    • Thanks a lot CBlue , that really helps me. But my main problem now is the EXTERNAL Exchange server. How to set up External exchange server? What exactly do I need is how to create this and its requirements.
      Thanks again

      • Well, I believe the original article here deals with setting up the [external] Exchange Server. My comment was more towards the SBS 2011 Standard (Small Business Server 2011), which has a sort of ‘integrated’ Exchange Server, and is often left out of discussions on on Exchange Server (or Windows Server 2008 R2, on which it’s based.)

        • Hi CBlue, can you please give me the link of your tutorial regarding integrated exchange server. I’m still studying on how to set up Microsoft Exchange Server 2012. I’m still figuring out what will be the requirements in hardware,software like exchange server and active directory. Thanks

    • Hi CBlue in your reply regarding outlook anywhere you indicted that after connecting to the network and setting up the profile with outlook anywhere configured that you could access your mail without vpn, just an internet connection that you would be asked for logon credentials and then it would open. I am using a profile with outlook anywhere for the first time my computer was on the company network, configured for outlook anywhere, when I try to open outlook I am prompted for my domain credentials but it doesn’t let me in because it can’t authenticate me because I am not connected to a domain. How is this suppose to work? If I cancel the login then I am working with my offline folders only. I am trying to understand the advantages of outlook anywhere but I don’t understand it is suppose to work.

      Thank you,

      AlyceO

      • Make sure that it works on the LAN first, and is configured to use the Exchange server on the LAN. THEN, set up for Outlook Anywhere proxy server (“remote.yourdomain.com”, in the case of SBS 2011 default.) in the “More settings” go to the “Connection” tab and click the Exchange Proxy Server button and follow the original directions to set up your publicly accessible and named Exchange Server in the url box, and pick NTLM as authentication method. Should work at this point. Test it as follows: leave the domain, Launch Outlook, while connected to the Internet. Should be able to traverse the firewall and talk to the [Exchange] server at this point.

        • CBlue it does work on the LAN, but our admins have us use Basic Authentication, not NTLM. I think I know what the issue maybe I will try that. Thank you for the information.

          AlyceO

  17. Hi,

    I find this write-up very educative. I have configured exchange, but cannot get outlook anywhere to work due to the certificate. If I could get to chat with you live on skype or google chat, that will enable me to get realtime questions across so you assist me set it up.

    I will be most grateful

  18. Hi Paul,

    Let me add some more information. My exchange 2010 has a self-signed certificate. The internal exchange server name is what is contained in the self-signed certificate and the owa name is different from the internal name.

    Could this be reason why when configuring outlook anywhere I get error code 10? I urgently need your assistance

  19. how are you? Hope you are fine, now I am facing 1 problem relate to configure exchange sever not configured why?

  20. Nice article on outlook anywhere .. good feature and given a good info

    issue with users outside my domain ….

    other isp few users with outlook 2010 users are normal and able to check mails without password

    few with 2007 outlook user have to change the authentication method from NTLM to basic then it is asking password for mails (default returns to NTLM )

    kINDLY support with a solution on this so that

    SURAJ

    • If the Exchange server is configured for Basic auth for Outlook Anywhere then the Outlook clients need to use Basic auth. I’m not sure what else you are asking me here?

      • Paul,

        few clients are running normal but for few clients are troubling with this issue.

        regards
        suraj

  21. Christian says:

    Hi Paul,
    When I activate Outlook Anywhere on my CAS Servers, all 2007 and 2010 Outlook have automatically checked the Https parameters in their configuration. It’s not a problem if it’s work well every time, but sometimes and i don’t now why yet, Outlook ask password to the user evenf if he’s connected to the domain LAN.

    EveryDay i have 1 – 5 users calling us for that, they relaunch Outlook and it works again.
    Note : from Wan it’s working fine.

    I’am hesitating to disable Outlook Anywhere on CAS, Outlook’s configurations will follow my lead or will I be contact by 500 users ,

  22. i have done everything as stated in the article but still outlook anywhere cannot work, however i am able to use owa on both external and internal cleints

  23. I have this issue: published exchange 2010 on Cisco ASA 5505 with static NAT port 443.
    NTLM auth. doesn’t work for non-domain computers. When I turn on basic authentication, username and password window drops out but still can’t connect. checked on testechangeserverconnectivity and only SSL problem occurs but i have my own CA and i install exported certificates on non-domain devices so that shouldn’t be an issue here. Besides installed CA certificate on my windows mobile and it started to work just fine.
    any suggestions?

  24. Hi,

    to publish outlook anywhere does we need to purchase a public certificate mandatory ?
    or an internal certificate enough to do the job ?

    and thanks

  25. rajkumar kathane says:

    hi

    problem occur to certificate on my windows

    i install to certificate now now windows working fine

    thanks

  26. Thanks for the article. The Outlook 2010 client is making a connection and sending/receiving email. If I reboot and start Outlook the settings under Outlook Anywhere have been cleared. I reenter them and Outlook connects. But if I reboot they are gone.

  27. Hi Paul.

    Have to say all of your Exc step by step procedures are awesome.
    Keep up the good work. I use a lot of it religiously. hehehe

    Please advise. Currently i noticed that random users are suddenly being prompted for passwords whilst on the LAN. further look shows that outlook is trying to connect to my webmail server and that’s what is requiring the Password.
    On my exchange 2010 box i currently have CAS authentication set to basic and not NTLM.
    If i do set5 this to NTLM does this mean that users connecting from non domain PCs such as your mobile phones and PCs at home; will not be able to connect.
    Strangely it has always been on basic but this problem has only come up a few months ago :-(
    If i set those outlook clients to use KERBEROS it solves the problem whilst others work fine on NEGOTIATE AUTO. Reason for Kerberos is i have riverbeds which require mail security to be set to that security level….

    • Non-domain clients should still be able to auth when it is NTLM.

      From memory though, the auto-logon can stop working if the Outlook Anywhere namespace is not in the trusted or intranet zone in IE, or a zone that allows auto-logon. Been a while since I had to look at a scenario like this though.

      • Paul,

        What if the goal is for non-domain computers to NOT be able to access my environment? Can that be done at TMG level? A firewall perhaps? Would like to hear some ideas/hear your thoughts. Thanks.

  28. Can you help, please?

    What do i have to configure to support multiple outlook anywhere External host name’s or URL’s with single Exchange 2010 site?
    e.g. webmail.domain.com, Outlook.domain.com, email.domain.com

    Can i run like this
    Enable-OutlookAnywhere -Server ‘CASarray’ -ExternalHostname ‘webmail.domain.com’, ‘Outlook.domain.com’, ‘Email.domain.com’ -DefaultAuthenticationMethod ‘NTLM’

    Thanks in advance

  29. Hi everybody

    I have a my exchange server 2010 with Active directory and DNS it is working fine locally, I want it to be online what thigs are necessary.

    Please help me

    Thanks

    Mohammed Irfan

  30. HI , i have a problem with Hosted exchange 2010Sp1 , when i create new OU and Mailbox then work fine with OWA but when i try to connect to Outlook it say the name not found …and if try to connect automatically getting the message “user name Not found ” also when i try to connect manually the error message ” there is problem with the security certificate. the name on the security certificate is invalid or does not match …” also Outlook some problem with some old Mailboxes

    from Exerca i get the following errors i.e Certificate related

    The Microsoft Connectivity Analyzer is attempting to test Autodiscover for gull@xyz.co.uk.
    Autodiscover was tested successfully.

    Additional Details

    Elapsed Time: 2927 ms.

    Test Steps

    Attempting each method of contacting the Autodiscover service.
    The Autodiscover service was tested successfully.

    Attempting to test potential Autodiscover URL https://xyz.co.uk/AutoDiscover/AutoDiscover.xml
    Testing of this potential Autodiscover URL failed.

    Additional Details

    Elapsed Time: 417 ms.

    Test Steps

    Attempting to resolve the host name xyz.co.uk in DNS.
    The host name resolved successfully.

    Additional Details
    Testing TCP port 443 on host xyz.co.uk to ensure it’s listening and open.
    The port was opened successfully.

    Additional Details
    Testing the SSL certificate to make sure it’s valid.
    The SSL certificate failed one or more certificate validation checks.

    Additional Details

    Test Steps

    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server xyz.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

    Additional Details
    Validating the certificate name.
    Certificate name validation failed.
    Tell me more about this issue and how to resolve it

    Additional Details
    Attempting to test potential Autodiscover URL https://autodiscover.xyz.co.uk/AutoDiscover/AutoDiscover.xml
    Testing of this potential Autodiscover URL failed.

    Additional Details

    Test Steps

    Attempting to resolve the host name autodiscover.xyz.co.uk in DNS.
    The host name resolved successfully.

    Additional Details
    Testing TCP port 443 on host autodiscover.xyz.co.uk to ensure it’s listening and open.
    The port was opened successfully.

    Additional Details
    Testing the SSL certificate to make sure it’s valid.
    The SSL certificate failed one or more certificate validation checks.

    Additional Details

    Elapsed Time: 270 ms.

    Test Steps

    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

    Additional Details
    Validating the certificate name.
    Certificate name validation failed.
    Tell me more about this issue and how to resolve it
    Additional Details
    Attempting to contact the Autodiscover service using the HTTP redirect method.
    The Autodiscover service was successfully contacted using the HTTP redirect method.
    …………………….. Please help

  31. Hi Paul,

    I had a query regarding Authentication Settings on CAS 2010.

    Can we offload the Authentication to another Network device on CAS 2010?

    Description of my issue:

    I want to authenticate user on my Network Device and once they are authenticated
    I redirect them to the CAS server.
    I do not want the CAS Server to re-authenticate the user. Currently it does.

    Regards,
    Ankit

  32. Prashant says:

    Hi,

    How to configure Proxy Authentication settings on CAS 2010.

    Regards,
    Prashant

  33. Hi Paul,

    I had configured Outlookanywhere as per the steps provided.
    Got a SSL certificate from Godaddy and made Common name same as the one provided in outlookanywhere .

    The first time when i configure a profile outlookanywhere is connected and the user is able to send/recieve,but when he closes outlook and open again,exchange proxy url is changing to internal CAS server name and outlook shows as disconnected,If we change the proxy to external url.he is able to send/recieve..
    Iam using basic Authentication for outlookanywhere.

    How do I fix this?

    Appreciate your help in advance.

  34. Hi Paul,

    i have the Problem with RPC over HTTPS with the Message Limit. When a User connect the Outlook from extern the Synchronisation is starting and everything ist fine. When i send a Mail with 15MB Attachement the Synchronisation stops at 10MB an will not start again.
    I think there is a Limit at 10MB for RPC, but where can i Change this?
    All other Limits (Send connector, receive connector, etc.) are configured to 100MB this time.
    Have you a reason for this Problem??

    • Hi Paul,

      the Computer isnt in the Company Domain. This Computer is a Little Workstation for the Directing Manager in his own Holiday Cabin in the Alps in Austria. Hi dont want to connect this private Computer to the Domain, why ever. As Firewall in the Company we have a Barracuda Firewall with no Limits for this Protokoll. On the Firewall we see that the Stream is disconnect on 10MB but we see no reason.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.