In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users.
Outlook Anywhere is a much better solution for remote email access than POP or IMAP because the end user experience is the same when the user is using Outlook on the LAN or remotely. Thanks to SSL encryption Outlook Anywhere is also inherently more secure than other protocols that have non-encrypted options that companies often deploy.
What is Outlook Anywhere?
Outlook Anywhere is a service provided by the Client Access server role that allows Outlook clients to make a secure connection over SSL/HTTPS to the mailbox from remote locations. Previously this was known as RPC-over-HTTPS but was renamed to Outlook Anywhere in Exchange 2007 and 2010.
By wrapping normal Outlook RPC requests in HTTPS the connections are able to traverse firewalls over the common SSL/HTTPS port without requiring the RPC ports to be opened.
There are three main tasks to deploy Outlook Anywhere in an Exchange environment:
- Enable and configure Outlook Anywhere on the Client Access server
- Configure the perimeter firewall to allow SSL/HTTPS connections from external networks to the Client Access server
- Configure the Outlook clients to use Outlook Anywhere when connecting from remote networks
Enable Outlook Anywhere on Exchange Server 2010
In the Exchange Management Console navigate to Server Configuration -> Client Access, and select the Client Access server you want to enable for Outlook Anywhere.
If you have multiple Client Access servers in an Active Directory site then choose the one that is the internet-facing Client Access server. Or if you have deployed a CAS array you will need to repeat this process on all members of the array.
With the server selected, in the action pane of the Exchange Management Console click on Enable Outlook Anywhere.
The Enable Outlook Anywhere wizard launches. Enter the external host name for Outlook Anywhere users to use when connecting remotely to Exchange, and choose an authentication method.
The external host name you choose should ideally be one that is already included in the Exchange certificate configured on the Client Access server. Otherwise you will need to create a new certificate for Exchange.
The Outlook Anywhere authentication method you choose will depend on a few factors in your environment.
- Basic Authentication – this requires that Outlook users enter their username and password each time they connect to Outlook Anywhere. The credentials are sent in clear text so therefore it is critical that Outlook Anywhere connections only occur over SSL/HTTPS. You may need to choose Basic Authentication if the connecting computers are not members of the domain, if the ISA Server publishing rule and listener are shared with other Exchange services that require Basic Authentication, or if the firewall being used does not support NTLM authentication.
- NTLM Authentication – this is ideal for connecting clients that are domain members because the username and password will not need to be entered by the user each time they connect. However NTLM may not work with some firewalls or ISA Server publishing scenarios.
When you have configured the Outlook Anywhere settings click Enable to continue, and then click Finish to close the wizard.
The Outlook Anywhere configuration for Exchange 2010 will take effect within 15 minutes of completing the wizard. The Application Event Log will record Event ID 3008 and a series of other events when the configuration has been applied to the server.
Configure the Firewall for Exchange Server 2010 Outlook Anywhere
To enable remote Outlook users to connect to Outlook Anywhere the perimeter firewall for the network must be configured to allow the SSL/HTTPS connections to pass through to the Client Access server.
The precise steps for this will depend on which firewall you are using in your environment. However the basic components of this configuration are:
- A public DNS record for the external host name you are using for Outlook Anywhere
- A public IP address on the firewall that the public DNS record resolves to
- A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server
If you are running an internet-facing Exchange Server 2010 CAS array then you would configure the firewall rule to direct traffic to the CAS array IP address.
Configure Outlook Clients for Exchange Server 2010 Outlook Anywhere
Before an Outlook client can connect to Outlook Anywhere it needs to be configured with the correct settings. In Outlook 2010 open the Account Settings for the Outlook profile that is configured.
Double-click to open the properties of the Exchange Server profile that is configured.
Click on More Settings, and then select the Connection tab of the settings dialog box that appears.
Tick the box to Connect to Microsoft Exchange using HTTP, and then click the Exchange Proxy Settings button.
Enter the External Host Name that was configured for Outlook Anywhere earlier on the Client Access server, and then configure the Proxy Authentication Settings to match the client authentication method chosen on the server.
Click OK, OK, Next and then Finish to apply the change to Outlook 2010. You must restart Outlook for the new settings to take effect.
Now that Outlook 2010 has been configured for Exchange Server 2010 Outlook Anywhere, any time the user launches Outlook from a remote connection and can reach the perimeter firewall over the internet they will be able to securely access their mailbox as though they were still on the corporate network.