IT tutorials
 
Applications Server
 

Securing an Exchange Server 2007 Environment : Securing Outlook 2007 (part 1) - Outlook Anywhere

10/24/2014 3:23:14 AM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Exchange Server 2007 and Microsoft Outlook 2007 were designed to work together and, therefore, are tightly integrated. Utilizing these two products together can provide a formidable security front.

Outlook Anywhere

Prior to Exchange Server 2003, Outlook users who needed to connect to Exchange over the Internet had to establish a virtual private network (VPN) connection prior to using Outlook. The only alternatives were to open a myriad of remote procedure calls (RPC) ports to the Internet or make Registry modifications to statically map RPC ports. However, most companies felt that the benefits provided by these two “workarounds” were outweighed by the risks.

With Exchange Server 2003 and Outlook 2003, Microsoft provided an alternate (and very much improved) method for Outlook users to connect over the Internet. Known as RPC over HTTPS, this feature allowed Outlook 2003 users to access their mailboxes securely from remote locations utilizing the Internet and an HTTPS proxy connection. This feature reduced the need for VPN solutions, while still keeping the messaging environment secure.

In Exchange Server 2007, this functionality is known as Outlook Anywhere, and Microsoft has improved the functionality and greatly reduced the difficulty of deployment and management of the feature.

Outlook Anywhere can be used with both Outlook 2007 and Outlook 2003 clients. Outlook Anywhere provides the following benefits:

  • Users can access Exchange servers remotely from the Internet.

  • Organizations can use the same URL and namespace that is used for Exchange ActiveSync and Outlook Web Access.

  • Organizations can use the same SSL server certificate that is used for Outlook Web Access and Exchange ActiveSync.

  • Unauthenticated requests from Outlook are blocked and cannot access Exchange servers.

  • Clients must trust server certificates, and certificates must be valid.

  • No VPN is needed to access Exchange servers across the Internet.

Note

For a Windows client to use this feature, the system must be running Windows XP SP1 or higher or Windows Vista.


Preparing Your Environment for Outlook Anywhere

Enabling Outlook Anywhere in an Exchange Server 2007 environment is a very straightforward process, and can be done using either the Exchange Management Console or the Exchange Management Shell. However, prior to enabling the product, you must perform the following procedures:

1.
Install a valid SSL certificate from a trusted certificate authority (CA).

Note

When you install Exchange Server 2007, you have the option of installing a default SSL certificate that is created during the Exchange setup process. However, this certificate is not a trusted SSL certificate. It is recommended that you either install your own trusted self-signed SSL certificate, or trust the default SSL certificate that is created during the Exchange setup process.

2.
Install the RPC over HTTP Windows networking component. To do so, perform the following steps.

3.
Log on to a server that has the Client Access server role installed. You must log on as an Exchange organization administrator and as a member of the local Administrators group on the server.

4.
Select Start, Control Panel, and then double-click Add or Remove Programs.

5.
Click Add/Remove Windows Components.

6.
On the Windows Components page, select Networking Services, and click Details.

7.
Select the RPC over HTTP Proxy check box, and then click OK.

8.
Click Next and after the installation and configuration has completed, click Finish.

Enabling Outlook Anywhere from the Exchange Management Console

After the prerequisite steps have been met, you can enable Outlook Anywhere. To do so from the Exchange Management Console, perform the following steps:

1.
Start the Exchange Management Console. In the console tree, expand the Server Configuration node, and then select the Client Access node.

2.
In the action pane, click Enable Outlook Anywhere. This starts the Enable Outlook Anywhere Wizard.

3.
In the External Host Name field, shown in Figure 1, type the appropriate external host name for your organization.

Figure 1. Configuring Outlook Anywhere.

4.
Select the appropriate External Authentication Method, either Basic Authentication or NTLM Authentication.

5.
If you are using an SSL accelerator and want to allow SSL offloading, select the Allow Secure Channel (SSL) Offloading check box.

Caution

Do not use the Allow Secure Channel (SSL) Offloading option unless you are sure you have an SSL accelerator that can handle SSL offloading. Selecting the option when you do not have this functionality prevents Outlook Anywhere from functioning properly.

6.
Click Enable to apply the settings and enable Outlook Anywhere.

7.
Review the completion summary to ensure there were no errors, and then click Finish to close the wizard.

Enabling Outlook Anywhere from the Exchange Management Shell

Alternatively, you can enable Outlook Anywhere from the Exchange Management Shell. To do so, run the following command from the shell:

enable-OutlookAnywhere -Server:'ServerName' -ExternalHostname:'ExternalHostName'
-ExternalAuthenticationMethod:'Basic' -SSLOffloading:$false


You can substitute “NTLM” for the ExternalAuthenticationMethod, and replace $false with $true if you are using SSL offloading.

Outlook Anywhere Best Practices

Consider the following best practices when deploying Outlook Anywhere:

  • Use at least one Client Access server per site— In Exchange Server 2007, a site is considered to be a network location with excellent connectivity between all computers. You should have at least one Client Access server solely dedicated to providing client access to the Exchange Server 2007 server running the Mailbox server role. For increased performance and reliability, you can have multiple Client Access servers in each site.

  • Enable Outlook Anywhere on at least one Client Access server— For each site, there should be at least one Client Access server with Outlook Anywhere enabled. This allows Outlook clients to connect to the Client Access server that resides closest to that user’s Mailbox server. By configuring your environment in this manner, users connect to the Client Access server in the site with their Mailbox server utilizing HTTPS. This minimizes the risk of using RPC across the Internet, which can negatively impact overall performance.

Finally, you must configure your organization’s firewall to allow traffic on port 443 because Outlook requests use HTTP over SSL. However, if you are already using either Outlook Web Access with SSL, or Exchange ActiveSync with SSL, you do not have to open any additional ports from the Internet.

Tip

Outlook users who will be using Outlook Anywhere as described in this section should be using Cached Exchange mode. Cached Exchange mode optimizes the communications between your Exchange servers and Outlook
 
Others
 
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 3) - Keeping Up with Security Patches and Updates
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 2) - Utilizing Security Templates
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 1) - Windows Server 2003 Security Improvements , Windows Vista Security Improvements
- Securing an Exchange Server 2007 Environment : Client-Level Secured Messaging - Exchange Server 2007 Client-Level Security Enhancements
- Microsoft Exchange Server 2010 Requirements : Additional Requirements
- Microsoft Exchange Server 2010 Requirements : Software Requirements (part 2) - Windows Server Roles and Features
- Microsoft Exchange Server 2010 Requirements : Software Requirements (part 1) - Additional Software
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 3) - Disk Requirements
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 2) - Memory Recommendations, Network Requirements
- Microsoft Exchange Server 2010 Requirements : Getting the Right Server Hardware (part 1) - The Typical User , CPU Recommendations
 
Youtube channel
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS