In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users.
Outlook Anywhere is a much better solution for remote email access than POP or IMAP because the end user experience is the same when the user is using Outlook on the LAN or remotely. Thanks to SSL encryption Outlook Anywhere is also inherently more secure than other protocols that have non-encrypted options that companies often deploy.
What is Outlook Anywhere?
Outlook Anywhere is a service provided by the Client Access server role that allows Outlook clients to make a secure connection over SSL/HTTPS to the mailbox from remote locations. Previously this was known as RPC-over-HTTPS but was renamed to Outlook Anywhere in Exchange 2007 and 2010.
By wrapping normal Outlook RPC requests in HTTPS the connections are able to traverse firewalls over the common SSL/HTTPS port without requiring the RPC ports to be opened.
There are three main tasks to deploy Outlook Anywhere in an Exchange environment:
- Enable and configure Outlook Anywhere on the Client Access server
- Configure the perimeter firewall to allow SSL/HTTPS connections from external networks to the Client Access server
- Configure the Outlook clients to use Outlook Anywhere when connecting from remote networks
Enable Outlook Anywhere on Exchange Server 2010
In the Exchange Management Console navigate to Server Configuration -> Client Access, and select the Client Access server you want to enable for Outlook Anywhere.
If you have multiple Client Access servers in an Active Directory site then choose the one that is the internet-facing Client Access server. Or if you have deployed a CAS array you will need to repeat this process on all members of the array.
Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere
With the server selected, in the action pane of the Exchange Management Console click on Enable Outlook Anywhere.
Enable Outlook Anywhere for Exchange Server 2010
The Enable Outlook Anywhere wizard launches. Enter the external host name for Outlook Anywhere users to use when connecting remotely to Exchange, and choose an authentication method.
Configure Outlook Anywhere for Exchange Server 2010
The external host name you choose should ideally be one that is already included in the Exchange certificate configured on the Client Access server. Otherwise you will need to create a new certificate for Exchange.
The Outlook Anywhere authentication method you choose will depend on a few factors in your environment.
- Basic Authentication – this requires that Outlook users enter their username and password each time they connect to Outlook Anywhere. The credentials are sent in clear text so therefore it is critical that Outlook Anywhere connections only occur over SSL/HTTPS. You may need to choose Basic Authentication if the connecting computers are not members of the domain, if the ISA Server publishing rule and listener are shared with other Exchange services that require Basic Authentication, or if the firewall being used does not support NTLM authentication.
- NTLM Authentication – this is ideal for connecting clients that are domain members because the username and password will not need to be entered by the user each time they connect. However NTLM may not work with some firewalls or ISA Server publishing scenarios.
When you have configured the Outlook Anywhere settings click Enable to continue, and then click Finish to close the wizard.
The Outlook Anywhere configuration for Exchange 2010 will take effect within 15 minutes of completing the wizard. The Application Event Log will record Event ID 3008 and a series of other events when the configuration has been applied to the server.
Configure the Firewall for Exchange Server 2010 Outlook Anywhere
To enable remote Outlook users to connect to Outlook Anywhere the perimeter firewall for the network must be configured to allow the SSL/HTTPS connections to pass through to the Client Access server.
The precise steps for this will depend on which firewall you are using in your environment. However the basic components of this configuration are:
- A public DNS record for the external host name you are using for Outlook Anywhere
- A public IP address on the firewall that the public DNS record resolves to
- A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server
Exchange Server 2010 Outlook Anywhere Firewall Overview
If you are running an internet-facing Exchange Server 2010 CAS array then you would configure the firewall rule to direct traffic to the CAS array IP address.
Configure Outlook Clients for Exchange Server 2010 Outlook Anywhere
Before an Outlook client can connect to Outlook Anywhere it needs to be configured with the correct settings. In Outlook 2010 open the Account Settings for the Outlook profile that is configured.
Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere
Double-click to open the properties of the Exchange Server profile that is configured.
Outlook 2010 Exchange Server Profile Settings
Click on More Settings, and then select the Connection tab of the settings dialog box that appears.
Outlook 2010 Connection Settings
Tick the box to Connect to Microsoft Exchange using HTTP, and then click the Exchange Proxy Settings button.
Enable Outlook Anywhere in Outlook 2010
Enter the External Host Name that was configured for Outlook Anywhere earlier on the Client Access server, and then configure the Proxy Authentication Settings to match the client authentication method chosen on the server.
Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010
Click OK, OK, Next and then Finish to apply the change to Outlook 2010. You must restart Outlook for the new settings to take effect.
Now that Outlook 2010 has been configured for Exchange Server 2010 Outlook Anywhere, any time the user launches Outlook from a remote connection and can reach the perimeter firewall over the internet they will be able to securely access their mailbox as though they were still on the corporate network.
About Paul Cunningham
Hello, you are missing one part. What are we supposed to put in the Exchange Server box right above the user name??? It’s the first thing is asks you when you click profile properties.
Great article guys!!!!!!
Hello i think you missed out one thing here which is SSL for outlook anywhere could you update the same as well which will be usefull for the readers
Looking for info of publishing outlook anywhere via TMG 2010 as opposed to a different firewall
Can you help, please?
What do i have to configure to support multiple outlook anywhere email domains with single Exchange 2010 site?
e.g. webmail.domain.com, webmail.domain2.com, webmail.domain3.com
Can i run like this (or to this effect via another configuration methods)?
Enable-OutlookAnywhere -Server ‘CASarray’ -ExternalHostname ‘webmail.domain.com’, ‘webmail.domain2.com’, ‘webmail.domain3.com’ -DefaultAuthenticationMethod ‘NTLM’
Thanks in advance.
Hi
Have you configured multiple domains?
Regards
Lal
Great article and helped me to setup my outlook anywhere deployment
Dear Team,
How are you? Hope you are fine, now I am facing 1 problem relate to outlook anywhere. I am using Windows Server 2008 R2, Exchange Server 2010. I had enable outlook anywhere on my server and I bough the certificate from DigiCert for my exchange server. But when I am using online tools for exchange connection testing “https://www.testexchangeconnectivity.com/”. I got the error as the below:
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to resolve the host name mail.thakral.com.kh in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 175.28.3.58
Testing TCP port 443 on host mail.thakral.com.kh to ensure it’s listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it’s valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server mail.thakral.com.kh on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.thakral.com.kh was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn’t expired.
Additional Details
The certificate is valid. NotBefore = 6/12/2012 12:00:00 AM, NotAfter = 6/19/2013 12:00:00 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn’t detected.
Additional Details
Accept/Require Client Certificates isn’t configured.
Testing HTTP Authentication Methods for URL https://mail.thakral.com.kh/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
Attempting to ping RPC proxy mail.thakral.com.kh.
RPC Proxy can’t be pinged.
Additional Details
A Web exception occurred because an HTTP 404 – NotFound response was received from IIS7.
Please kindly help me to support me on that case. Now I has no solution to fix the exchange server for outlook anywhere yet. But for Exchange ActiveSync, it is working properly. THANK
don’t forget to enable the rpc overt http feature or the outlook anywhere won’t work
Hi sir,
I have some queries,
1 of my client is complaining that, while their external users trying to connect with outlook it takes 9-10 mins & after connecting to outlook when they try to send mail it takes 40-45 secs,
there is not any issue with OWA,
Please help me to resolve this issue,
MY outlook does not have the option of outlook anywhere.im using POP/SMTP email configured with ip address.I need to access my mails every where i go, as long as am connected to any network.
Are you the administrator of the server?
Hii,
How to change my server outlook anywhere name? I im read and applying this article but I dont change my server name.
Thank you so much. This saved my bacon in a training session with 30 users who were training on Tasks. We found out the day of training that our VPN connection would not be allowed through the guest network available at the training center. With your help we had it all set in 15 minutes and training could continue.
After setting all the configuration above.i still get error message of invalid certificate.Cant we use self signed certificate for outlook use anywhere??
What exactly is the procedure ogf generating self required certificate for use anywhere????
install the self signed certificate on the client. as a trusted root ca
Hi Paul,
If you have FBA enabled on your TMG listener and OA is configured for NTLM, i believe i wont be able to authenticate through TMG. For some reason, the MS whitepaper implies that if you have a FBA Listener you will have only Basic Auth delegation available for OA.
In my case FBA listener works with my OA rule only if i pass through TMG by configuring the Authentication delegation to No Authentication but clients may authenticate directly.
I would like to keep FBA on TMG and NTLM on OA for my domain users, but this causes issues with the OAB (web-based) download when passing through TMG, causing a credentials pop-up box.
Any ideas?
Hi Paul,
I need help. What are the requirements in setting up a outlook exchange server 2010? Such as; server (physical), domain (paid) and software…
Thanks in advance
Best secret I found in doing this is either create profile and resolve name on the LAN first or via VPN. Set up Mail Profile from Control Panel -> Mail (32 bit). Create profile and follow wizard, except check box for manual setup and use INTERNAL Exchange Server name, and “Check Name”. (This is when you would need to connect VPN first, if you’re not on the physical LAN.) When name comes back underlined (successfully resolved), go to More Settings button, and proceed to the tab to set up Outlook Anywhere proxy server (remote.yourdomain.com, in the case of SBS 2011 default.) Leave the LAN or disconnect the VPN and launch Outlook. You should be prompted for a login (domain\username format) and password. If this is your first time connecting Outlook on this machine, it’ll ask for your name and initials, then “preparing mailbox for first use” and so on until you are looking at your mailbox, FROM the Internet, no VPN required. Everything else in the original article is rock solid helpful. Thanks Paul!
Thanks a lot CBlue , that really helps me. But my main problem now is the EXTERNAL Exchange server. How to set up External exchange server? What exactly do I need is how to create this and its requirements.
Thanks again
Well, I believe the original article here deals with setting up the [external] Exchange Server. My comment was more towards the SBS 2011 Standard (Small Business Server 2011), which has a sort of ‘integrated’ Exchange Server, and is often left out of discussions on on Exchange Server (or Windows Server 2008 R2, on which it’s based.)
Hi CBlue, can you please give me the link of your tutorial regarding integrated exchange server. I’m still studying on how to set up Microsoft Exchange Server 2012. I’m still figuring out what will be the requirements in hardware,software like exchange server and active directory. Thanks
Hi CBlue in your reply regarding outlook anywhere you indicted that after connecting to the network and setting up the profile with outlook anywhere configured that you could access your mail without vpn, just an internet connection that you would be asked for logon credentials and then it would open. I am using a profile with outlook anywhere for the first time my computer was on the company network, configured for outlook anywhere, when I try to open outlook I am prompted for my domain credentials but it doesn’t let me in because it can’t authenticate me because I am not connected to a domain. How is this suppose to work? If I cancel the login then I am working with my offline folders only. I am trying to understand the advantages of outlook anywhere but I don’t understand it is suppose to work.
Thank you,
AlyceO
Make sure that it works on the LAN first, and is configured to use the Exchange server on the LAN. THEN, set up for Outlook Anywhere proxy server (“remote.yourdomain.com”, in the case of SBS 2011 default.) in the “More settings” go to the “Connection” tab and click the Exchange Proxy Server button and follow the original directions to set up your publicly accessible and named Exchange Server in the url box, and pick NTLM as authentication method. Should work at this point. Test it as follows: leave the domain, Launch Outlook, while connected to the Internet. Should be able to traverse the firewall and talk to the [Exchange] server at this point.
CBlue it does work on the LAN, but our admins have us use Basic Authentication, not NTLM. I think I know what the issue maybe I will try that. Thank you for the information.
AlyceO
Try this:
http://blog.ronnypot.nl/?page_id=434
Hi,
I find this write-up very educative. I have configured exchange, but cannot get outlook anywhere to work due to the certificate. If I could get to chat with you live on skype or google chat, that will enable me to get realtime questions across so you assist me set it up.
I will be most grateful
Hi Paul,
Let me add some more information. My exchange 2010 has a self-signed certificate. The internal exchange server name is what is contained in the self-signed certificate and the owa name is different from the internal name.
Could this be reason why when configuring outlook anywhere I get error code 10? I urgently need your assistance
how are you? Hope you are fine, now I am facing 1 problem relate to configure exchange sever not configured why?
Nice article on outlook anywhere .. good feature and given a good info
issue with users outside my domain ….
other isp few users with outlook 2010 users are normal and able to check mails without password
few with 2007 outlook user have to change the authentication method from NTLM to basic then it is asking password for mails (default returns to NTLM )
kINDLY support with a solution on this so that
SURAJ
If the Exchange server is configured for Basic auth for Outlook Anywhere then the Outlook clients need to use Basic auth. I’m not sure what else you are asking me here?
Paul,
few clients are running normal but for few clients are troubling with this issue.
regards
suraj