Friday, May 16, 2014

Exchange 2013 (SP1) - Migration - Part 7 - Outlook Anywhere

As mentioned in a previous post, Outlook Anywhere (RPC/HTTP) is the only access method for Outlook (legacy) clients with Exchange 2013. I specify "legacy" because Outlook 2013 can connect to Exchange 2013 with MAPI/HTTP.

Outlook Anywhere is installed (as a feature) and enabled by default with Exchange 2013 - unlike with Exchange 2007 and 2010.

We can verify that it is installed with the following cmdlet...

Get-WindowsFeature


Note: look for the entry "RPC-over-HTTP-Proxy" and see if there is an "x" indicating that it is installed.


And verify that it is enabled with this cmdlet:

Get-ClientAccessServer EX13-1 | fl Name,OutlookAnywhereEnabled

Name                                : EX13-1
OutlookAnywhereEnabled : True

Note: change the name of the server as appropriate.

Next, we will configure Outlook Anywhere and the URL values in particular.

Note: as with the URLs for other virtual directories, we still need to adjust DNS records so clients will be directed to the Exchange 2013 server rather than the Exchange 2007 server. I will do this in a future blog post.



Here are some notable default settings for Outlook Anywhere. We can compare them with the modified settings we will configure in a moment:

Get-OutlookAnywhere -server EX13-1 | fl servername,*ssl*,*auth*,*hostname*

ServerName                              : EX13-1
SSLOffloading                           : True
ExternalClientsRequireSsl           : False
InternalClientsRequireSsl            : False
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods            : {Basic, Ntlm, Negotiate}
ExternalHostname                   :
InternalHostname                   : ex13-1.mynet.lan


Some remarks...


  • We will not use SSL offloading in my environment. This would entail the use of another device to encrypt and decrypt the SSL traffic (perhaps a specialized appliance).
  • We will require use of SSL for internal and external clients.
  • Authentication method will be NTLM for both internal and external clients.



This is the cmdlet that configures those (and some other) settings:

Set-OutlookAnywhere "EX13-1\Rpc (Default Web Site)" -ExternalHostname mail.mitserv.net
-InternalHostname mail.mitserv.net -ExternalClientAuthenticationMethod Ntlm
-ExternalClientsRequireSsl:$true -InternalClientAuthenticationMethod Ntlm
-InternalClientsRequireSsl:$true -IISAuthenticationMethods Ntlm -SSLOffloading:$false


This leaves us with the configuration as follows:

Get-OutlookAnywhere -server EX13-1 | fl servername,*ssl*,*auth*,*hostname*

ServerName                              : EX13-1
SSLOffloading                          : False
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl           : True
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Ntlm}
ExternalHostname                   : mail.mitserv.net
InternalHostname                   : mail.mitserv.net


We can configure some of these settings (but not all) in the Exchange Admin Center: Server | Outlook Anywhere:



After executing the command above, we have these settings:



OK, but does this work?

It worked for me.

I was able to logon alternately as two test users and send internal messages back and forth. There were no errors or prompts about certificates. Please note that these test users were created on the Exchange 2013 server and both have mailboxes on this server. Migration of mailboxes on the Exchange 2007 server has yet to take place.

My Outlook version is 2010 SP2. Client settings for Outlook Anywhere were the default settings. No changes were made. For reference, here are those settings:




Note: I make the assumption that the reader knows where to find these settings in Outlook 2010. If not, one can find many articles conducting an online search with these terms:

outlook anywhere connect to microsoft exchange using http

1 comment:

  1. How did I test client access without first adjusting DNS records (which I say I will do in a "future blog post"?

    -> With an edit to the HOST file on the client machine used to test this.

    ReplyDelete