Exchange Server 2007 and Microsoft Outlook 2007 were
designed to work together and, therefore, are tightly integrated.
Utilizing these two products together can provide a formidable security
front.
Outlook Anywhere
Prior
to Exchange Server 2003, Outlook users who needed to connect to
Exchange over the Internet had to establish a virtual private network
(VPN) connection prior to using Outlook. The only alternatives were to
open a myriad of remote procedure calls (RPC) ports to the Internet or
make Registry modifications to statically map RPC ports. However, most
companies felt that the benefits provided by these two “workarounds”
were outweighed by the risks.
With
Exchange Server 2003 and Outlook 2003, Microsoft provided an alternate
(and very much improved) method for Outlook users to connect over the
Internet. Known as RPC over HTTPS, this feature allowed Outlook 2003
users to access their mailboxes securely from remote locations
utilizing the Internet and an HTTPS proxy connection. This feature
reduced the need for VPN solutions, while still keeping the messaging
environment secure.
In Exchange Server
2007, this functionality is known as Outlook Anywhere, and Microsoft
has improved the functionality and greatly reduced the difficulty of
deployment and management of the feature.
Outlook Anywhere can be used with both Outlook 2007 and Outlook 2003 clients. Outlook Anywhere provides the following benefits:
Users can access Exchange servers remotely from the Internet.
Organizations can use the same URL and namespace that is used for Exchange ActiveSync and Outlook Web Access.
Organizations can use the same SSL server certificate that is used for Outlook Web Access and Exchange ActiveSync.
Unauthenticated requests from Outlook are blocked and cannot access Exchange servers.
Clients must trust server certificates, and certificates must be valid.
No VPN is needed to access Exchange servers across the Internet.
Note
For a Windows client to use this feature, the system must be running Windows XP SP1 or higher or Windows Vista.
Preparing Your Environment for Outlook Anywhere
Enabling
Outlook Anywhere in an Exchange Server 2007 environment is a very
straightforward process, and can be done using either the Exchange
Management Console or the Exchange Management Shell. However, prior to
enabling the product, you must perform the following procedures:
1. | Install a valid SSL certificate from a trusted certificate authority (CA).
Note
When
you install Exchange Server 2007, you have the option of installing a
default SSL certificate that is created during the Exchange setup
process. However, this certificate is not
a trusted SSL certificate. It is recommended that you either install
your own trusted self-signed SSL certificate, or trust the default SSL
certificate that is created during the Exchange setup process.
|
2. | Install the RPC over HTTP Windows networking component. To do so, perform the following steps.
|
3. | Log
on to a server that has the Client Access server role installed. You
must log on as an Exchange organization administrator and as a member
of the local Administrators group on the server.
|
4. | Select Start, Control Panel, and then double-click Add or Remove Programs.
|
5. | Click Add/Remove Windows Components.
|
6. | On the Windows Components page, select Networking Services, and click Details.
|
7. | Select the RPC over HTTP Proxy check box, and then click OK.
|
8. | Click Next and after the installation and configuration has completed, click Finish.
|
Enabling Outlook Anywhere from the Exchange Management Console
After
the prerequisite steps have been met, you can enable Outlook Anywhere.
To do so from the Exchange Management Console, perform the following
steps:
1. | Start
the Exchange Management Console. In the console tree, expand the Server
Configuration node, and then select the Client Access node.
|
2. | In the action pane, click Enable Outlook Anywhere. This starts the Enable Outlook Anywhere Wizard.
|
3. | In the External Host Name field, shown in Figure 1, type the appropriate external host name for your organization.
|
4. | Select the appropriate External Authentication Method, either Basic Authentication or NTLM Authentication.
|
5. | If
you are using an SSL accelerator and want to allow SSL offloading,
select the Allow Secure Channel (SSL) Offloading check box.
Caution
Do not
use the Allow Secure Channel (SSL) Offloading option unless you are
sure you have an SSL accelerator that can handle SSL offloading.
Selecting the option when you do not have this functionality prevents
Outlook Anywhere from functioning properly.
|
6. | Click Enable to apply the settings and enable Outlook Anywhere. |
7. | Review the completion summary to ensure there were no errors, and then click Finish to close the wizard.
|
Enabling Outlook Anywhere from the Exchange Management Shell
Alternatively,
you can enable Outlook Anywhere from the Exchange Management Shell. To
do so, run the following command from the shell:
enable-OutlookAnywhere -Server:'ServerName' -ExternalHostname:'ExternalHostName'
-ExternalAuthenticationMethod:'Basic' -SSLOffloading:$false
You can substitute “NTLM” for the ExternalAuthenticationMethod, and replace $false with $true if you are using SSL offloading.
Outlook Anywhere Best Practices
Consider the following best practices when deploying Outlook Anywhere:
Use at least one Client Access server per site—
In Exchange Server 2007, a site is considered to be a network location
with excellent connectivity between all computers. You should have at
least one Client Access server solely dedicated to providing client
access to the Exchange Server 2007 server running the Mailbox server
role. For increased performance and reliability, you can have multiple
Client Access servers in each site.
Enable Outlook Anywhere on at least one Client Access server—
For each site, there should be at least one Client Access server with
Outlook Anywhere enabled. This allows Outlook clients to connect to the
Client Access server that resides closest to that user’s Mailbox
server. By configuring your environment in this manner, users connect
to the Client Access server in the site with their Mailbox server
utilizing HTTPS. This minimizes the risk of using RPC across the
Internet, which can negatively impact overall performance.
Finally,
you must configure your organization’s firewall to allow traffic on
port 443 because Outlook requests use HTTP over SSL. However, if you
are already using either Outlook Web Access with SSL, or Exchange
ActiveSync with SSL, you do not have to open any additional ports from
the Internet.
Tip
Outlook
users who will be using Outlook Anywhere as described in this section
should be using Cached Exchange mode. Cached Exchange mode optimizes
the communications between your Exchange servers and Outlook
