Step By Step Guide To Setting Up Outlook Anywhere In Exchange 2007
To configure the server side of Outlook Anywhere for Exchange/Outlook 2007 and Outlook 2010 (formerly known as RPC over HTTPS, in Exchange 2003), the following steps are required. This step by step guide through assumes that you have configured your external DNS A record to point at your firewall then redirect to your CAS server, and that you have port 443 forwarded to the CAS.
Firstly we must ensure that the RPC over HTTP proxy component is installed on the server.
- From the Add/Remove programs select Windows components
- Select Networking Services then details
- Select Rpc over http proxy -> OK
- Click Next to start the installation. Note that despite its warning, the server will not need to be rebooted.
- Click Finish to complete the installation
At this stage you should verify that the component is installed correctly. You can do this via the IIS administrative console.
- Check that you have 2 virtual sites/directories named RPC and RPCwithCert
- These sites should point to C:\WINDOWS\System32\RpcProxy which will contain the rpcproxy.dll
- You should also verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)
At this stage we need to enable Outlook Anywhere inside of Exchange. This can be done a couple of ways, either through the EMS or EMC.
Enable Outllook Anywhere From The Exchange Management Shell
The three commands available to you are:
- Get-OutlookAnywhere
- Set-OutlookAnywhere
- Enable-OutlookAnywhere
If you are running E2k7 SP1 the command below will get you up and running.
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ] [-WhatIf []]
So for example you would run:
Enable-OutlookAnywhere -Server mail1 -SSLOffloading:$false -ExternalHostname mail1.company.com.au -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
Enable Outllook Anywhere From The Exchange Management Console
I generally find it quicker to do this task through the EMC, but some people prefer to use the command line as much as possible. The steps to get OA running through the EMC are:
- Open EMC –> Server configuration –> client Access Server.
- Choose the CAS server that you wish to enable for OA.
- In the actions panel on the right hand side of the screen choose Enable Outlook Anywhere
- You will now be asked to enter in the external host name for the server, so using the same name as the EMS example above, enter mail1.company.com.au (This name should be the same name that is present on your certificate).
Set your preferred method of authentication and if SSL offloading is required and select enable. - Watch for any errors and if none appear select Finish.
Certificate Generation.
If at this stage you are only running the original self-signed (and self-created) cert that was generated when your CAS box was installed, you will need to generate a trusted certificate to allow clients to connect to the server with the names above. Your default generated cert will only contain the CAS box’ local domain name (eg. mail1.comapny.local)
Refer to my upcoming post on Exchange Certificate Generation .
How To Setup You Outlook Client For Outlook Anywhere
The best way if possible is to set the client up whilst in the office or connected over a VPN. If you haven’t got this available, then it’s not the end of the world, but it will just make your life a bit harder.
To set a new user up you must create a new mail profile using the following steps.If you are using a locally generated certificate from a non-root CA, then you will need to import the certificate into the local client store before the client will be able to access the server.
- Select Create new Mail Profile
- Check the Manually Configure Server box at the bottom of the window
- Select Microsoft Exchange
- Enter in the FQDN of your mail server (make sure you enter the external address), enter the user name, and make sure that cached mode is switched on.
- Select More settings, and then the connections tab.
- Tick the “Connect to Microsoft Exchange using HTTP”, and then select the Exchange Proxy settings button.
- Input the external name of your mail server in the first box. Eg mail1.company.com.au
- Select the Only connect to Proxy servers that have this name, and enter in “msstd:https://mail1.company.com.au”
- Set the authentication method to match what was selected on the server.
- Click ok, and finish to complete the setup.
If you have set up the auto discover service then you also have the option of using this method to set up the client. I’ll detail this in another blog soon.
You should now be able to fire up Outlook and enter in the credentials.
Verify client connection status
To verify that the client is connecting to the CAS box using HTTPS run through the following steps.
- Run outlook and log on using the required credentials.
- In the system tray hold down the Ctrl key and right click on the Outlook icon.
- Select connection status.
You should now be able to see if the connection is via TCP or HTTPS.
Troubleshooting
If you have any issues with connectivity microsoft provide this great site for testing.
https://www.testexchangeconnectivity.com/
Tags: Outlook Anywhere
sandip
| #
Hello Allan,
thanks for the great post , but i still have some queries
we have two domains in our envrironment, abc.com and xyz.com and wanted to enable outlook
anywhere
1. do we need to create A record for autodiscover internally
2. do we need to create new zone in DNS for autodiscover
3. which domain name i shoud put in certificates
like. abc.com, xyz.com,autodiscover.abc.com,autodiscover.xyz.com , *.abc.com, *.xyz.com
4. do we need to create auotiscover record on public dns , if yes what should be host name
e.g. autodiscover.abc.com , autodiscover.xyz.com
Thanks
Reply
Allen White
| #
Hello, just create the DNS forward look up zones for both domains..then create the Autodiscover record in both zones pointing to the correct CAS server.
You do not need an external A record for autodiscover, but you do need it on your certificate as a SAN.
🙂
Allen
Reply