- Disable strict name checking with PowerShell - Mon, Sep 1 2014
- ManageEngine Exchange Reporter Plus review - Wed, Aug 20 2014
- EventSentry – Full-spectrum monitoring - Thu, Jul 17 2014
Outlook Anywhere, formerly known as RPC over HTTP, is an Exchange server feature that has been around since 2003 and allows Outlook clients to connect anywhere as long as they have an internet connection. There is no need to go to a website or VPN into the company’s intranet; just fire up Outlook and let the email flow.
Outlook Anywhere wraps Remote Procedure Calls inside an HTTP layer to allow connectivity with the Exchange server. This simplifies the firewall administration process requiring only the SSL port 443 to be opened to the CAS (Client Access Server) instead of several ports to the actual Mailbox Server (MBX).
In Exchange 2003 and 2007 you must manually enable Outlook Anywhere. In Exchange 2013, this feature is turned on by default as it is now the primary way to connect Outlook to Exchange. In any event, Outlook Anywhere needs to be set up correctly in order for clients to seamlessly utilize it.
Step 1 – RPC over HTTP Proxy Feature
Because Outlook Anywhere is now installed with Exchange 2013 by default, the RPC over HTTP Proxy feature should be automatically installed. However, it is always best to verify this because this is the bread and butter of Outlook Anywhere.
Open the Server Manager from the Start Menu.
Click on Features in the left window pane in order to open the Features Summary window.
You should now see the RPC over HTTP Proxy under the Features: heading.
If this is not the case and you do not see it installed, you will need to add it manually by clicking the Add Features on the right side of the screen.
Then select the feature and click Install.
Step 2 – DNS and Security Certificates
Most likely you have already added the mail subdomain that points to your CAS server. In this example, the domain is aetest.com. Therefore, our subdomain is mail.aetest.com. We need to add a Host (A) record that points internally to our CAS server and externally to the NAT for that server. It should look something like this:
Internal:
mail Host (A) 10.131.14.90
External:
mail Host (A) <external NAT IP>
Depending on how your site’s DNS is set up, you may have to get your ISP to add the external record for you.
Now that we have the DNS set up we need to verify/install the security certificate for mail.aetest.com to our CAS server. Again, most likely you have already accomplished this when setting up your Exchange server. You must first obtain a valid security certificate from a trusted source such as Symantec. Ensure that you get it for mail.<your_domain>.com.
Depending on what type of certificate and who it was requested through, the installation steps may be different. Please refer to your vendor’s installation instructions. You must have a valid certificate installed on your CAS server in order for Outlook Anywhere to work properly. Otherwise, Outlook will just report an error and not allow the Outlook Anywhere connection.
Step 3 – Outlook Anywhere Configuration (EAC or EMS)
After verifying the prerequisites for Outlook Anywhere, we are ready to configure the settings. There are two ways we can accomplish this: EAC (Exchange Admin Center – the web based replacement for the EMC) and EMS (Exchange Management Shell).
Arguably, the easiest route is to use EMS. There is a lot less effort involved and this is the direction Microsoft is pushing admins to manage their environments. However, some people are still more comfortable using a GUI to configure Outlook Anywhere.
Exchange Admin Center
Open a browser from your CAS server and go to http://localhost/ecp. You will be met with the following:
Enter your logon credentials and press enter. When you have successfully logged in, click the servers link on the left.
And then the pencil icon above the server name on the subsequent page.
The next window that pops up will be the Edit screen for the CAS server. On the left, click Outlook Anywhere and fill in the information. We want to set the internal and external URL’s to mail.aetest.com, the authentication method to NTLM, and uncheck Allow SSL offloading. If you plan on offloading the SSL certs, you may keep it checked.
Click the Save button to save the new configuration and close the Edit window.
Exchange Management Shell (EMS)
To configure Outlook Anywhere via the EMS, open the Exchange Management Shell from the Start menu.
The syntax for the cmdlets to configure Outlook Anywhere look like the following:
Set-OulookAnywhere –Identity ‘<CAS Server>\rpc (Default Web Site)’ <commands>
In our example, to set the internal and external URL’s we will use the following:
Set-OutlookAnywhere -Identity 'AETESTEXCD01\rpc (Default Web Site)' –ExternalHostname mail.aetest.com –InternalHostname mail.aetest.com –ExternalClientAuthenticationMethod Ntlm -ExternalClientsRequireSsl:$true –InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl:$true –IISAuthentication Ntlm –SSLOffloading:$false
Remember to enter this all together on one line without pressing enter. The command may be long, but we successfully configured everything from a cmdlet without having to go into the EAC, logging in, clicking here, clicking there, etc…
Step 4 – Verification
Microsoft has come up with an amazing site to test the connectivity of Exchange: Microsoft Remote Connectivity Analyzer
As you can see, there are many testing options we can select from. We want to test Outlook Anywhere, so select the Outlook Anywhere (RPC over HTTP) radio button under Microsoft Office Outlook Connectivity Tests and click Next.
Enter the valid information into the form and click Perform Test at the bottom.
The website will then begin to test your Outlook Anywhere settings.
Once complete, the site will give you the status and any other pertinent information such as how to fix an issue.
Step 5 – Client configuration
To do this, open Outlook and go to File on the menu bar and then click the Account Setting button and the Account Settings…
When the Account Settings dialogue box pops up, click the account and then the Change… button.
Another dialogue box will pop up. Click the More Settings… button. Stay with me. We’re almost there!
Now we get to the Exchange Settings dialogue box. Click on the Connection tab. You will see that there is a section for Outlook Anywhere and a tick box that says Connect to Microsoft Exchange using HTTP. As you can see from the screenshot, mine is greyed out. I have set this up via Group Policy. Now click on the Exchange Proxy Settings… button.
Finally we are at the spot where we can enter our information for Outlook Anywhere. Enter the required information into form as shown in the screenshot. The principal name text box must be preceded with the msstd: prefix in order for the certificate to be valid. This will automatically be added.
Once you have completed the form click the OK button close Outlook completely.
Note: As I mentioned, I set up Outlook Anywhere via GPO. In order to do so, you must download an admin template. Microsoft has provided instructions on how to do this and the admin template download.
Summary
In this article we looked at how to install and configure Outlook Anywhere for Exchange 2013. We verified the prerequisites and talked about some gotcha’s with DNS and SSL certificates. We then configured our Client Access Server for Outlook Anywhere using both the GUI and the command line. Finally we verified our configuration using Microsoft’s Remote Connectivity Analyzer and configured the Outlook client.
Hi,
Thanks for your tutorial.
I’ve followed the instructions and on a Outlook Anywhere tests it’s failing on:
Attempting to ping RPC proxy publicdomain.co.uk.
RPC Proxy can’t be pinged.
Additional Details
A Web exception occurred because an HTTP 555 – 555 response was received from Unknown.
Can you kindly provide any advice on this error?
Hi Mark,
An RPC Proxy error could be caused by quite a few things. Depending on your environment, make sure that your SSL cert contains the name of the servers and the name of the Outlook Anywhere domain i.e. servername.publicdomain.co.uk and outlookanywhere.publicdomain.co.uk. This can be accomplished with a SAN cert. Hope this information has helped!
Hi Andrew,
I’m using a wildcard certificate for the time being as my internal/external domains are both publicdomain.co.uk.
Would this be causing the issue?
Autodiscover and active sync work perfectly.
Regards
Mark
It looks like that may be the issue:
http://technet.microsoft.com/en-us/library/cc535023%28v=exchg.80%29.aspx
I cannot say for certain however. Give that a try and see if it solves your issue.
Thanks Andrew.
Unfortunately I already came across that post and the CertPrincipalName is set on EXPR. It’s not set on EXCH or WEB however.
Perhaps a SAN certificate is the only way of resolving this issue. I’m yet to find an SSL provider who will supply a trial SAN certificate. Are you aware of any?
Thanks in advance.
Mark.
I was able to get a 30 day testing SAN certificate from Symantec (they bought Veritas) with the subdomain of my OA and the FQDN of my CAS server name in it. Hopefully they’ll be able to hook you up.
I also used your steps, word for word. Outlook Clients (@007 -2013 latest updates) keep coming up with a credentials request upon opening Outlook. You can click cancel, go to the Send/Receive tab and select Type Outlook Username and Password. It will then connect. But as soon as I send a message, another popup comes up. I enter it, everything seems fine. Then a few minutes later the credentials are requested and I get stuck in a loop and have to restart Outlook. I can send logs if you would like, I really need help on this. I’ve been working on it for a few days, and can’t seem to make headway. I really don’t want to use a support ticket with Microsoft if someone can help, I accidentally wasted one the other day. (I figured out the solution before Microsoft called back, and they still charged me for it.) Please help!! Thanks in advance.
Brett, I suggest you post this question in the 4sysops forum together wit the log. More IT pros will notice your question there.
Dear Andrew
Thanks for the article. In Step 5 – Client configuration, you said ((When the Account Settings dialogue box pops up, click the account and then the Change… button.))my questions is : what account do you mean? because I think here we are talking about creation of new account not about to modify existing account.
best regards
Hi Wagdi,
In step 5 your email account should already be configured as it would be if you were connected to your domain network so you are modifying the account. Step 5 just goes and changes the settings to allow that same account to access your email externally without logging into VPN.
thanks for response
If I have a new user outside my internal network(in another town). this user need to use Microsoft outlook (2007 or 2010).In the past with exchange 2003 I used pop mail (internet mail). now with exchange 2013 I need your help to do this via outlook anywhere or any other way. (new user with computer not joined to the domain).
please explain step by step
best regards
Dear Andrew
I’m waiting for your help
Wagdi,
Your best bet would be to use OWA (Outlook Web Access) through one of the client’s we browsers.