|
Outlook Anywhere provides secure Internet-based access to Exchange
Server. When you enable and configure this feature, users can use HTTPS
to connect to their Exchange mailboxes, eliminating the need for virtual
private network (VPN) connections. Because Outlook Anywhere uses the
same URLs and namespaces that you use for Exchange ActiveSync and
Outlook Web App, no additional configuration is required beyond the
initial setup. Outlook Anywhere is secure, so unauthenticated requests
from Outlook clients are blocked from accessing Exchange Server.
You can deploy Outlook Anywhere by performing the following procedures:
-
Install a valid public SSL certificate on the Exchange Server. -
Install RPC Over HTTP Proxy Windows networking (if this isn't installed already). -
Enable Outlook Anywhere.
These procedures are discussed in the sections that follow.
Installing an SSL Certificate on the Exchange Server
For Outlook Anywhere to work, a default SSL certificate is created
for Exchange Server during installation of a Client Access server. This
certificate is meant to help you get started and is not designed for
long-term client use. Because of this, you'll likely want to use one
issued by your organization's certificate authority (CA) or a
third-party certificate service. The first time users access Exchange
Server using Outlook Web App, they may need to specify that they trust
the server certificate.
Because Outlook Anywhere requests use HTTPS, you must allow port 443
through your firewall. If you already use Outlook Web App with SSL or
Exchange ActiveSync with SSL, port 443 should already be open and you do
not have to open any additional ports.
Installing the RPC Over HTTP Proxy
For Outlook Anywhere to work, you should install the RPC Over HTTP
Proxy Windows networking component on the Exchange Server during
installation of a Client Access server. If for some reason this
component was not installed, was uninstalled, or becomes corrupted, you
must reinstall it.
With Windows Server 2008, you install this component by completing the following steps:
-
Start Server Manager. Click Start, point to Programs or All Programs
as appropriate, point to Administrative Tools, and then select Server
Manager. Or click the Server Manager button on the Quick Launch toolbar. -
In Server Manager, select the Features node in the left pane and then click Add Features. This starts the Add Features Wizard. -
On the Select Features page, select RPC Over HTTP Proxy (as shown in Figure 1).
If you see a prompt about additional required services, click Add
Required Role Services to ensure that these additional services are
installed.
-
Click Next and then click Install. When the Add Features Wizard finishes the installation, click Close.
Determining Whether Outlook Anywhere Is Enabled
In the Exchange Management Console, you can determine whether Outlook
Anywhere is enabled by expanding the Server Configuration node and then
selecting the Client Access node. In the upper portion of the details
pane, Client Access servers are listed by default by name, role,
Exchange version, and Outlook Anywhere Enabled status.
You can use the Get-OutlookAnywhere
cmdlet to list similar information about Outlook Anywhere for all
Client Access servers in your organization. If you use the –Server
parameter, you can limit the results to a specific server. If you use
the –Identity parameter, you can examine a particular virtual directory
on a server. Example 1 provides the syntax, usage, and sample output.
Example 1. Get-OutlookAnywhere cmdlet syntax and usage
Syntax
Get-OutlookAnywhere [-Server ServerName] [-DomainController DCName]
Get-OutlookAnywhere [-Identity VirtualDirId] [-DomainController DCName]
Usage
Get-OutlookAnywhere
Get-OutlookAnywhere -Server "CorpSvr127"
Get-OutlookAnywhere -Identity "CorpSvr127\Rpc (Default Web Site)"
Output
ServerName : MAILSERVER25
SSLOffloading : False
ExternalHostname : mailserver25.cpandl.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic}
MetabasePath : IIS://MAILSERVER25.cpandl.com/W3SVC/1/
ROOT/Rpc
Path : C:\Windows\System32\RpcProxy
Server : MAILSERVER25
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web
Site),CN=HTTP,CN=Protocols,CN=MAILSERVER25,CN=Servers,CN=Exchange
AdministrativeGroup (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,
DC=cpandl,DC=com
Identity : MAILSERVER25\Rpc (Default Web Site)
Guid : e7333d25-8ad7-47ce-8120-f65ccc2279c8
ObjectCategory : cpandl.com/Configuration/Schema/ms-Exch-Rpc-
Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory,
msExchRpcHttpVirtualDirectory}
WhenChanged : 1/22/2008 5:02:32 PM
WhenCreated : 1/22/2008 5:02:32 PM
OriginatingServer : MAILSERVER25.cpandl.com
IsValid : True
Enabling and Modifying Outlook Anywhere
You can deploy Outlook Anywhere by enabling the feature on at least
one Client Access server in each site of your Exchange organizations. To
enable Outlook Anywhere, complete the following steps:
-
In the Exchange Management Console, expand the Server Configuration node, and then select the Client Access node. -
In the upper portion of the details pane, you'll see a list of your
organization's Client Access servers. Right-click the server on which
you want to enable Outlook Anywhere, and select Enable Outlook Anywhere. -
In the Enable Outlook Anywhere Wizard, shown in Figure 2, type the external host name for the Client Access server, such as mailer1.cpandl.com.
-
Select an available external authentication method. You can select
Basic Authentication or NTLM Authentication. NT LAN Manager (NTLM)
authentication is more secure than basic authentication. -
Select the Allow Secure Channel (SSL) Offloading check box only if
you have configured an advanced firewall server to work with Exchange
2010 and handle your SSL processing. -
Click Enable to apply your settings and enable Outlook Anywhere, and then click Finish.
In the Exchange Management Shell, you can enable Outlook Anywhere by using the Enable-OutlookAnywhere cmdlet. Example 2 provides the syntax and
usage. The –IISAuthenticationMethods parameter sets the authentication
method for the /rpc virtual directory as either Basic or NTLM and
disables all other methods. The authentication methods the
–DefaultAuthenticationMethod and –ClientAuthenticationMethod parameters
use include the following:
-
Basic for Basic Authentication -
NTLM for NTLM Authentication -
Digest for Digest Authentication -
Fba for Forms-based Authentication -
WindowsIntegrated for Integrated Windows Authentication -
LiveIdFba for Live ID Forms-based Authentication -
LiveIdBasic for Windows Live ID Basic Authentication -
WSSecurity for Windows SharePoint Security -
Certificate for SSL Certificate Authentication -
NegoEx for Negotiable Exchange
Example 2. Enable-OutlookAnywhere cmdlet syntax and usage
Syntax
Enable-OutlookAnywhere -DefaultAuthenticationMethod {AuthMethod}
-ExternalHostName ExternalHostName -SSLOffloading <$true|$false>
[-Server ServerName] [-DomainController DCName]
Enable-OutlookAnywhere [-ClientAuthenticationMethod {AuthMethod}
[-IISAuthenticationMethods <Basic | NTLM>]
-ExternalHostName ExternalHostName -SSLOffloading <$true|$false>
[-Server ServerName] [-DomainController DCName]
{AuthMethod}
<Basic | Digest | NTLM | Fba | WindowsIntegrated | LiveIdFba |
LiveIdBasic | WSSecurity | Certificate | NegoEx | MaxValidValue |
Misconfigured>
Usage
Enable-OutlookAnywhere -Server "CAServer21"
-ExternalHostName "mailer1.cpandl.com"
-DefaultAuthenticationMethod "Basic"
-SSLOffloading $false
If you want to modify the Outlook Anywhere configuration, you can use the Set-OutlookAnywhere cmdlet to do this. Example 3 provides the syntax and usage.
Example 3. Set-OutlookAnywhere cmdlet syntax and usage
Syntax
Set-OutlookAnywhere -Identity VirtualDirId
[-ClientAuthenticationMethod {AuthMethod}]
[-DefaultAuthenticationMethod {AuthMethod}]
[-ExternalHostName ExternalHostName]
[-IISAuthenticationMethods <Basic | NTLM>]
[-Name Name]
[-SSLOffloading <$true | $false>]
{AuthMethod}
<Basic | Digest | NTLM | Fba | WindowsIntegrated | LiveIdFba |
LiveIdBasic | WSSecurity | Certificate | NegoEx | MaxValidValue |
Misconfigured>
Usage
Set-OutlookAnywhere -Identity "CorpSvr127\Rpc (Default Web Site)"
-ExternalHostName "mailer1.cpandl.com"
-ExternalAuthenticationMethod "NTLM"
-SSLOffloading $true
Disabling Outlook Anywhere
If you no longer want a particular Client Access server to allow
Outlook clients to use Outlook Anywhere, you can disable this feature by
completing the following steps:
-
In the Exchange Management Console, expand the Server Configuration node, and then select the Client Access node. -
In the upper portion of the details pane, you'll see a list of your
organization's Client Access servers. Right-click the server on which
you want to enable Outlook Anywhere, and select Disable Outlook
Anywhere. -
When prompted to confirm, click Yes.
In the Exchange Management Shell, you can disable Outlook Anywhere using the Disable-OutlookAnywhere cmdlet. Example 4 provides the syntax and usage.
Example 4. Disable-OutlookAnywhere cmdlet syntax and usage
Syntax
Disable-OutlookAnywhere [-Server ServerName | -Identity VirtualDirID]
[-DomainController DCName]
Usage
Disable-OutlookAnywhere -Server "CAServer21"
|
