In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users.

Outlook Anywhere is a much better solution for remote email access than POP or IMAP because the end user experience is the same when the user is using Outlook on the LAN or remotely. Thanks to SSL encryption Outlook Anywhere is also inherently more secure than other protocols that have non-encrypted options that companies often deploy.

What is Outlook Anywhere?

Outlook Anywhere is a service provided by the Client Access server role that allows Outlook clients to make a secure connection over SSL/HTTPS to the mailbox from remote locations.  Previously this was known as RPC-over-HTTPS but was renamed to Outlook Anywhere in Exchange 2007 and 2010.

By wrapping normal Outlook RPC requests in HTTPS the connections are able to traverse firewalls over the common SSL/HTTPS port without requiring the RPC ports to be opened.

There are three main tasks to deploy Outlook Anywhere in an Exchange environment:

  • Enable and configure Outlook Anywhere on the Client Access server
  • Configure the perimeter firewall to allow SSL/HTTPS connections from external networks to the Client Access server
  • Configure the Outlook clients to use Outlook Anywhere when connecting from remote networks

Enable Outlook Anywhere on Exchange Server 2010

In the Exchange Management Console navigate to Server Configuration -> Client Access, and select the Client Access server you want to enable for Outlook Anywhere.

If you have multiple Client Access servers in an Active Directory site then choose the one that is the internet-facing Client Access server.  Or if you have deployed a CAS array you will need to repeat this process on all members of the array.

Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere
Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere

With the server selected, in the action pane of the Exchange Management Console click on Enable Outlook Anywhere.

Enable Outlook Anywhere for Exchange Server 2010
Enable Outlook Anywhere for Exchange Server 2010

The Enable Outlook Anywhere wizard launches.  Enter the external host name for Outlook Anywhere users to use when connecting remotely to Exchange, and choose an authentication method.

Configure Outlook Anywhere for Exchange Server 2010
Configure Outlook Anywhere for Exchange Server 2010

The external host name you choose should ideally be one that is already included in the Exchange certificate configured on the Client Access server.  Otherwise you will need to create a new certificate for Exchange.

The Outlook Anywhere authentication method you choose will depend on a few factors in your environment.

  • Basic Authentication – this requires that Outlook users enter their username and password each time they connect to Outlook Anywhere.  The credentials are sent in clear text so therefore it is critical that Outlook Anywhere connections only occur over SSL/HTTPS.  You may need to choose Basic Authentication if the connecting computers are not members of the domain, if the ISA Server publishing rule and listener are shared with other Exchange services that require Basic Authentication, or if the firewall being used does not support NTLM authentication.
  • NTLM Authentication – this is ideal for connecting clients that are domain members because the username and password will not need to be entered by the user each time they connect.  However NTLM may not work with some firewalls or ISA Server publishing scenarios.

When you have configured the Outlook Anywhere settings click Enable to continue, and then click Finish to close the wizard.

The Outlook Anywhere configuration for Exchange 2010 will take effect within 15 minutes of completing the wizard.  The Application Event Log will record Event ID 3008 and a series of other events when the configuration has been applied to the server.

Configure the Firewall for Exchange Server 2010 Outlook Anywhere

To enable remote Outlook users to connect to Outlook Anywhere the perimeter firewall for the network must be configured to allow the SSL/HTTPS connections to pass through to the Client Access server.

The precise steps for this will depend on which firewall you are using in your environment.  However the basic components of this configuration are:

  • A public DNS record for the external host name you are using for Outlook Anywhere
  • A public IP address on the firewall that the public DNS record resolves to
  • A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server
Exchange Server 2010 Outlook Anywhere Firewall Overview
Exchange Server 2010 Outlook Anywhere Firewall Overview

If you are running an internet-facing Exchange Server 2010 CAS array then you would configure the firewall rule to direct traffic to the CAS array IP address.

Configure Outlook Clients for Exchange Server 2010 Outlook Anywhere

Before an Outlook client can connect to Outlook Anywhere it needs to be configured with the correct settings.  In Outlook 2010 open the Account Settings for the Outlook profile that is configured.

Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere
Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere

Double-click to open the properties of the Exchange Server profile that is configured.

Outlook 2010 Exchange Server Profile Settings
Outlook 2010 Exchange Server Profile Settings

Click on More Settings, and then select the Connection tab of the settings dialog box that appears.

Outlook 2010 Connection Settings
Outlook 2010 Connection Settings

Tick the box to Connect to Microsoft Exchange using HTTP, and then click the Exchange Proxy Settings button.

Enable Outlook Anywhere in Outlook 2010
Enable Outlook Anywhere in Outlook 2010

Enter the External Host Name that was configured for Outlook Anywhere earlier on the Client Access server, and then configure the Proxy Authentication Settings to match the client authentication method chosen on the server.

Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010
Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010

Click OK, OK, Next and then Finish to apply the change to Outlook 2010.  You must restart Outlook for the new settings to take effect.

Now that Outlook 2010 has been configured for Exchange Server 2010 Outlook Anywhere, any time the user launches Outlook from a remote connection and can reach the perimeter firewall over the internet they will be able to securely access their mailbox as though they were still on the corporate network.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Sanjay Ram

    Hi Paul,

    We have Similar situation to this. I have EX2013 configured initially with server FQDN in Outlook Anywhere URL (server.domain.internal) and other services as well (Autodiscover, OWA,EWS) with self signed certificate.

    Now we have deployed a new certificate to reflect mail.domain.com (Along with Autodiscover.domain.com) as SAN name in it.

    After deploying the certificate (Still the URL’s pointing to server FQDN), outlook clients started displaying certificate error.

    We have changed the URL’s to match the SAN name in certificate (mail.domain.com)

    Do we need to reconfigure the outlook clients again?

    We see still clients connects to old URL and showing certificate error, however Auto discover test connects to new URL.

    Note: Creating New profile works fine. However old profiles still displays certificate error.

  2. Asim Anwar

    Hello Paul. Great article. Can you please write an article on MAPI over HTTP in Exchange Server 2010 & 2016. Whether we can use MAPI over HTTP in Exchange Server 2010. If we can will it work with Outlook 2010 SP2, 2013 & 2016.

  3. Ritesh Sharma

    Please note I am using exchange 2010 and outlook 2016 to test this

  4. Ritesh Sharma

    Despite the above the test succeeds. What am i missing here? I get multiple authentication prompts as well when i am configuring outlook anywhere from external(meaning outside my LAN) . my autodiscover is in SSL certficate

    1. Avatar photo
      Paul Cunningham

      You should probably try a network trace with Fiddler or a similar tool so you can see where the client is connecting. Or open a support case with Microsoft.

  5. Ritesh Sharma

    Hi Paul

    While running test connectivity i get
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
    Elapsed Time: 2 ms.

    1. Avatar photo
      Paul Cunningham

      It means that machines that don’t have the latest root certificates might not trust your certificate. It’s just a warning that mostly impacts older machines or those that don’t allow root certificate updates.

  6. Salman

    Hello Paul,
    Great article and appreciate your effort to avail this for intermediate and fresh Admins 🙂

    may be its quite simple question but still want to double confirm, lets say if i change OA url, will outlook clinet affects?
    there will be two scenerio as per my understanding,
    1. what will happen with outlook clinet which is configured using autodiscover?
    2. what will happen where profile is been configured manually?

    Thanks in advance!

    1. Avatar photo
      Paul Cunningham

      Outlook clients will receive the new URL via Autodiscover. It will only impact Outlook Anywhere connections. On the LAN, Outlook uses RPC/MAPI to connect, not Outlook Anywhere, so they won’t be impacted unless you’ve got the config in place that forces them to use Outlook Anywhere all the time.

    2. Sanjay Ram

      Hi Paul,

      We have Similar situation to this. I have EX2013 configured initially with server FQDN in Outlook Anywhere URL (server.domain.internal) and other services as well (Autodiscover, OWA,EWS) with self signed certificate.

      Now we have deployed a new certificate to reflect mail.domain.com (Along with Autodiscover.domain.com) as SAN name in it.

      After deploying the certificate (Still the URL’s pointing to server FQDN), outlook clients started displaying certificate error.

      We have changed the URL’s to match the SAN name in certificate (mail.domain.com)

      Do we need to reconfigure the outlook clients again?

      We see still clients connects to old URL and showing certificate error, however Auto discover test connects to new URL.

      Note: Creating New profile works fine. However old profiles still displays certificate error.

  7. Ihtesham

    What if I want to use outlook 2016 with Exchange 2010. where can I set the HTTP settings as it doesn’t have connection tab. ?????

  8. Mike

    Paul, I am having an issue with attachment downloads where the root cause is hard to identify.
    Download of attachments in the Wi-Fi network takes up to 40 seconds. Download through LAN works without delay.
    Same issue on different hardware with the same user.
    OWA download works both ways, LAN and Wi-Fi without delay!
    Download via Outlook Anywhere also works without any delay.
    Exchange 2010 Current Patch
    Outlook 2010 Current Patch
    Any ideas?

    Thanks!
    Mike

  9. Andrew

    Paul,

    What does this mean? Please. I had outlook anywhere configured, then I disabled it. Then I tried enabling it again and I get the error below. Thanks for the helpful article.

    VESTA
    Failed

    Error:
    Web object ‘IIS://localhost.cabledomains.com/W3SVC/1/ROOT’ can’t be found.

    Exchange Management Shell command attempted:
    enable-OutlookAnywhere -Server ‘VESTA’ -ExternalHostname ’email.cablebahamas.com’ -DefaultAuthenticationMethod ‘Basic’ -SSLOffloading $false

    Elapsed Time: 00:00:01

  10. Kevin Dormido

    This post is very helpful.
    However, I tried to upgrade my outlook 2010 to 2016 and I don’t see anymore the outlook anywhere in my client setting.

    Please advise how to configure.
    FYI: I’m using exchange server 2010.
    Thank you.

  11. Rob

    to expand :

    Get-Counter “RPC/HTTP ProxyCurrent Number of Unique Users” -computername casserver01,, casserver02

  12. Rob

    @ George Balanos

    You could use RPC/HTTP proxy counters

    https://technet.microsoft.com/en-us/library/bb201674(EXCHG.80).aspx

    RPC/HTTP ProxyCurrent Number of Incoming RPC over HTTP Connections
    Shows the current number of front-end HTTP connections.
    Determines current user load.

    RPC/HTTP ProxyCurrent Number of Unique Users
    Shows the number of unique users currently connected to a back-end server via RPC/HTTP.
    Determines current user load.

    RPC/HTTP ProxyRPC/HTTP Requests per Second
    Shows the rate of RPC/HTTP requests sent to the back-end servers.
    Determines current Outlook Anywhere load.

    RPC/HTTP ProxyNumber of Failed Back-End Connection attempts per Second
    Shows the rate at which the RPC proxy attempts are occurring but fail to establish a connection to a back-end server.

  13. Sofiane

    Hello

    thanks for this useful blog , if i chose to connect to exchange in local network without reconfigured HTTP Lookout anywhere , what is the protocol outlook is using to connect to exchange server

    Regards
    Sofiane

  14. George Balanos

    Good afternoon, is there a report to run concerning who is actually utilizing Outlook Anywhere?

  15. ab

    I have setup Exchange 2010 server – all working fine inside the organisation.

    I am trying to configure outlook 2010 to use the imap/outlook anyware accounts on exchange 2010, but can’t access these remotely (outside the office network).

    I know I could use OWA, or exchange with RPC, or even a VPN – but I would like to use IMAP as I have around 10 email accounts, some on different domains, that I need to check regularly / at the same time.

    I have the correct ports open on your firewall to allow IMAP traffic to pass through to our exchange server .
    while I telnet with public ip address the port 143, 993, 110 its connected and ready.

    Can anyone advise on how to setup exchange 2010 / outlook 2010 that I can access the imap account remotely using outlook 2010.
    Thanks

  16. Nagesh

    Hi Paul,

    We are running on Exchange server 2010.We are connecting to outlook through RPC over HTTP and no MAPI enabled. We are facing intermittent issues with Outlook connectivity. All the user are connecting from internal network only. We ran EXRCA and did not find any issues except”Checking the IIS configuration for client certificate authentication.Client certificate authentication wasn’t detected.” Need your help in identifying the issue and troubleshoot it. I am not getting where to start to digging into the issue. Can you please assist/help me in resolving it.

    1. Avatar photo
      Paul Cunningham

      Does the Outlook Anywhere namespace resolve to an internal IP or external IP for clients on the internal network?

      If it resolves to an external IP maybe your firewall is dropping the connections. Or there could be any other possible network issues between your clients and the server (firewall, load balancers, WAN links, virtual network config….)

  17. Anonymous

    Hi Paul,

    How does Outlook 2010 clients connect to Exchange 2013 SP1. Does it connect through RPC/Http. Does exchange 2013 SP1 support rpc/http connections. Thanks.

    1. Avatar photo
      Paul Cunningham

      Correct, it is via Outlook Anywhere, also known as RPC over HTTP (or HTTPS).

  18. Jaap

    Hello Paul

    Thanks for the article, it’s very useful.

    I am having an issue, though. After configuring Outlook Anywhere, with proper SSL certs, the Remote Connectivity Analyzer gives green light. However, when I configure Outlook (2013) it never wants to successfully connect and it keeps on asking me for the username and password. Now I am connecting from a different domain as the Exchange(2010) server is in, theoretically (if I understand correctly) this shouldn’t matter if I use basic authentication, right?

    However, even with basic authentication I can see in the server’s log that the authentication fails and it shows the incorrect domain name under the account name. How can I prevent this from happening?

    Thanks, kind regards.

    1. Jaap

      OK found it, it appeared a DNS entry was needed on the Windows server pointing the external host name to the internal address, for that a split DNS configuration needed to be created. Now it works…

      I used this article http://www.petenetlive.com/KB/Article/0000830.htm.

      Thanks, kind regards,
      Jaap

  19. Danushka

    Dear Paul,

    Can we disable outlook anywhere auto configuration in client side as we disabled manually after restart it is enabling auto.

    Thanks

    Danushka

  20. Simon

    Hello Paul,
    Thanks for your tutorial, it makes life easier, Exchange server and OWA had been working fine till yesterday when adding firewall. Following the ports defined on Microsoft website, lots of ports had been added for firewall. Clients can access mail by using outlook from their computers outside company. However, they cannot use OWA to access it, the main page of OWA can be shown, but when users type correct user name and password then click login an error page came out shown in the following

    The web page is not available
    The web page at https://webmail.abc.com/owa/auth.owa might be temporarily down or it may have moved permanently to a new web address.
    Error code: ERR_RESPONSE_HEADERS_TRUNCATED

    We are using dedicated server and firewall is provided by hosting provider. They said
    It was adding the internal IPs to the nic. You need to make sure that any applications using the public IP are swapped for the internal IPs.
    I would like to ask you how to address the problem and what kinds of problems would cause it?
    Had checked that ports 80 and 443 are open to inbound traffic
    Many thanks
    Simon

  21. Carsten

    Hi Paul,

    i have the Problem with RPC over HTTPS with the Message Limit. When a User connect the Outlook from extern the Synchronisation is starting and everything ist fine. When i send a Mail with 15MB Attachement the Synchronisation stops at 10MB an will not start again.
    I think there is a Limit at 10MB for RPC, but where can i Change this?
    All other Limits (Send connector, receive connector, etc.) are configured to 100MB this time.
    Have you a reason for this Problem??

    1. Carsten

      Hi Paul,

      the Computer isnt in the Company Domain. This Computer is a Little Workstation for the Directing Manager in his own Holiday Cabin in the Alps in Austria. Hi dont want to connect this private Computer to the Domain, why ever. As Firewall in the Company we have a Barracuda Firewall with no Limits for this Protokoll. On the Firewall we see that the Stream is disconnect on 10MB but we see no reason.

  22. Najam

    Hi Paul,

    I had configured Outlookanywhere as per the steps provided.
    Got a SSL certificate from Godaddy and made Common name same as the one provided in outlookanywhere .

    The first time when i configure a profile outlookanywhere is connected and the user is able to send/recieve,but when he closes outlook and open again,exchange proxy url is changing to internal CAS server name and outlook shows as disconnected,If we change the proxy to external url.he is able to send/recieve..
    Iam using basic Authentication for outlookanywhere.

    How do I fix this?

    Appreciate your help in advance.

  23. Prashant

    Hi,

    How to configure Proxy Authentication settings on CAS 2010.

    Regards,
    Prashant

  24. Ankit

    Hi Paul,

    I had a query regarding Authentication Settings on CAS 2010.

    Can we offload the Authentication to another Network device on CAS 2010?

    Description of my issue:

    I want to authenticate user on my Network Device and once they are authenticated
    I redirect them to the CAS server.
    I do not want the CAS Server to re-authenticate the user. Currently it does.

    Regards,
    Ankit

    1. Avatar photo
      Paul Cunningham

      You need a device that can do pre-auth. TMG was one such solution. Kemp’s ESP is another.

  25. ihsan

    HI , i have a problem with Hosted exchange 2010Sp1 , when i create new OU and Mailbox then work fine with OWA but when i try to connect to Outlook it say the name not found …and if try to connect automatically getting the message “user name Not found ” also when i try to connect manually the error message ” there is problem with the security certificate. the name on the security certificate is invalid or does not match …” also Outlook some problem with some old Mailboxes

    from Exerca i get the following errors i.e Certificate related

    The Microsoft Connectivity Analyzer is attempting to test Autodiscover for gull@xyz.co.uk.
    Autodiscover was tested successfully.

    Additional Details

    Elapsed Time: 2927 ms.

    Test Steps

    Attempting each method of contacting the Autodiscover service.
    The Autodiscover service was tested successfully.

    Attempting to test potential Autodiscover URL https://xyz.co.uk/AutoDiscover/AutoDiscover.xml
    Testing of this potential Autodiscover URL failed.

    Additional Details

    Elapsed Time: 417 ms.

    Test Steps

    Attempting to resolve the host name xyz.co.uk in DNS.
    The host name resolved successfully.

    Additional Details
    Testing TCP port 443 on host xyz.co.uk to ensure it’s listening and open.
    The port was opened successfully.

    Additional Details
    Testing the SSL certificate to make sure it’s valid.
    The SSL certificate failed one or more certificate validation checks.

    Additional Details

    Test Steps

    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server xyz.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

    Additional Details
    Validating the certificate name.
    Certificate name validation failed.
    Tell me more about this issue and how to resolve it

    Additional Details
    Attempting to test potential Autodiscover URL https://autodiscover.xyz.co.uk/AutoDiscover/AutoDiscover.xml
    Testing of this potential Autodiscover URL failed.

    Additional Details

    Test Steps

    Attempting to resolve the host name autodiscover.xyz.co.uk in DNS.
    The host name resolved successfully.

    Additional Details
    Testing TCP port 443 on host autodiscover.xyz.co.uk to ensure it’s listening and open.
    The port was opened successfully.

    Additional Details
    Testing the SSL certificate to make sure it’s valid.
    The SSL certificate failed one or more certificate validation checks.

    Additional Details

    Elapsed Time: 270 ms.

    Test Steps

    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

    Additional Details
    Validating the certificate name.
    Certificate name validation failed.
    Tell me more about this issue and how to resolve it
    Additional Details
    Attempting to contact the Autodiscover service using the HTTP redirect method.
    The Autodiscover service was successfully contacted using the HTTP redirect method.
    …………………….. Please help

  26. Irfan

    Hi everybody

    I have a my exchange server 2010 with Active directory and DNS it is working fine locally, I want it to be online what thigs are necessary.

    Please help me

    Thanks

    Mohammed Irfan

  27. Gkumar731

    Can you help, please?

    What do i have to configure to support multiple outlook anywhere External host name’s or URL’s with single Exchange 2010 site?
    e.g. webmail.domain.com, Outlook.domain.com, email.domain.com

    Can i run like this
    Enable-OutlookAnywhere -Server ‘CASarray’ -ExternalHostname ‘webmail.domain.com’, ‘Outlook.domain.com’, ‘Email.domain.com’ -DefaultAuthenticationMethod ‘NTLM’

    Thanks in advance

    1. Avatar photo
      Paul Cunningham

      A Client Access server (not array) can have one external Outlook Anywhere namespace.

  28. Rajen

    Hi Paul.

    Have to say all of your Exc step by step procedures are awesome.
    Keep up the good work. I use a lot of it religiously. hehehe

    Please advise. Currently i noticed that random users are suddenly being prompted for passwords whilst on the LAN. further look shows that outlook is trying to connect to my webmail server and that’s what is requiring the Password.
    On my exchange 2010 box i currently have CAS authentication set to basic and not NTLM.
    If i do set5 this to NTLM does this mean that users connecting from non domain PCs such as your mobile phones and PCs at home; will not be able to connect.
    Strangely it has always been on basic but this problem has only come up a few months ago 🙁
    If i set those outlook clients to use KERBEROS it solves the problem whilst others work fine on NEGOTIATE AUTO. Reason for Kerberos is i have riverbeds which require mail security to be set to that security level….

    1. Avatar photo
      Paul Cunningham

      Non-domain clients should still be able to auth when it is NTLM.

      From memory though, the auto-logon can stop working if the Outlook Anywhere namespace is not in the trusted or intranet zone in IE, or a zone that allows auto-logon. Been a while since I had to look at a scenario like this though.

      1. Rajen

        thanks you for the input but i am still stumped with this issue.

        Whenever a users PC prompts for a password; i noticed that at that moment the outlook client is trying to connect to my webmail server.

        But the users are on the LAN. how do i tell outlook to use domain credentials for webmail connection over the LAN.

        So that it does not prompt users for a password when it suddenly tries to connect to the webmail server

      2. Kay

        Paul,

        What if the goal is for non-domain computers to NOT be able to access my environment? Can that be done at TMG level? A firewall perhaps? Would like to hear some ideas/hear your thoughts. Thanks.

  29. ken

    Thanks for the article. The Outlook 2010 client is making a connection and sending/receiving email. If I reboot and start Outlook the settings under Outlook Anywhere have been cleared. I reenter them and Outlook connects. But if I reboot they are gone.

  30. rajkumar kathane

    hi

    problem occur to certificate on my windows

    i install to certificate now now windows working fine

    thanks

  31. Rafi

    Hi,

    to publish outlook anywhere does we need to purchase a public certificate mandatory ?
    or an internal certificate enough to do the job ?

    and thanks

  32. George

    I have this issue: published exchange 2010 on Cisco ASA 5505 with static NAT port 443.
    NTLM auth. doesn’t work for non-domain computers. When I turn on basic authentication, username and password window drops out but still can’t connect. checked on testechangeserverconnectivity and only SSL problem occurs but i have my own CA and i install exported certificates on non-domain devices so that shouldn’t be an issue here. Besides installed CA certificate on my windows mobile and it started to work just fine.
    any suggestions?

  33. chris

    i have done everything as stated in the article but still outlook anywhere cannot work, however i am able to use owa on both external and internal cleints

  34. Christian

    Hi Paul,
    When I activate Outlook Anywhere on my CAS Servers, all 2007 and 2010 Outlook have automatically checked the Https parameters in their configuration. It’s not a problem if it’s work well every time, but sometimes and i don’t now why yet, Outlook ask password to the user evenf if he’s connected to the domain LAN.

    EveryDay i have 1 – 5 users calling us for that, they relaunch Outlook and it works again.
    Note : from Wan it’s working fine.

    I’am hesitating to disable Outlook Anywhere on CAS, Outlook’s configurations will follow my lead or will I be contact by 500 users ,

  35. John

    Thank you Paul,
    Always I am Luck with your Articles.
    Good Luck,
    John

  36. suraj

    Nice article on outlook anywhere .. good feature and given a good info

    issue with users outside my domain ….

    other isp few users with outlook 2010 users are normal and able to check mails without password

    few with 2007 outlook user have to change the authentication method from NTLM to basic then it is asking password for mails (default returns to NTLM )

    kINDLY support with a solution on this so that

    SURAJ

    1. Avatar photo
      Paul Cunningham

      If the Exchange server is configured for Basic auth for Outlook Anywhere then the Outlook clients need to use Basic auth. I’m not sure what else you are asking me here?

      1. suraj

        Paul,

        few clients are running normal but for few clients are troubling with this issue.

        regards
        suraj

  37. Mirwaisjalil

    how are you? Hope you are fine, now I am facing 1 problem relate to configure exchange sever not configured why?

  38. Kwasi

    Hi Paul,

    Let me add some more information. My exchange 2010 has a self-signed certificate. The internal exchange server name is what is contained in the self-signed certificate and the owa name is different from the internal name.

    Could this be reason why when configuring outlook anywhere I get error code 10? I urgently need your assistance

  39. Kwasi

    Hi,

    I find this write-up very educative. I have configured exchange, but cannot get outlook anywhere to work due to the certificate. If I could get to chat with you live on skype or google chat, that will enable me to get realtime questions across so you assist me set it up.

    I will be most grateful

  40. CBlue

    Best secret I found in doing this is either create profile and resolve name on the LAN first or via VPN. Set up Mail Profile from Control Panel -> Mail (32 bit). Create profile and follow wizard, except check box for manual setup and use INTERNAL Exchange Server name, and “Check Name”. (This is when you would need to connect VPN first, if you’re not on the physical LAN.) When name comes back underlined (successfully resolved), go to More Settings button, and proceed to the tab to set up Outlook Anywhere proxy server (remote.yourdomain.com, in the case of SBS 2011 default.) Leave the LAN or disconnect the VPN and launch Outlook. You should be prompted for a login (domainusername format) and password. If this is your first time connecting Outlook on this machine, it’ll ask for your name and initials, then “preparing mailbox for first use” and so on until you are looking at your mailbox, FROM the Internet, no VPN required. Everything else in the original article is rock solid helpful. Thanks Paul!

    1. chan

      Thanks a lot CBlue , that really helps me. But my main problem now is the EXTERNAL Exchange server. How to set up External exchange server? What exactly do I need is how to create this and its requirements.
      Thanks again

      1. CBlue

        Well, I believe the original article here deals with setting up the [external] Exchange Server. My comment was more towards the SBS 2011 Standard (Small Business Server 2011), which has a sort of ‘integrated’ Exchange Server, and is often left out of discussions on on Exchange Server (or Windows Server 2008 R2, on which it’s based.)

        1. chan

          Hi CBlue, can you please give me the link of your tutorial regarding integrated exchange server. I’m still studying on how to set up Microsoft Exchange Server 2012. I’m still figuring out what will be the requirements in hardware,software like exchange server and active directory. Thanks

    2. AlyceO

      Hi CBlue in your reply regarding outlook anywhere you indicted that after connecting to the network and setting up the profile with outlook anywhere configured that you could access your mail without vpn, just an internet connection that you would be asked for logon credentials and then it would open. I am using a profile with outlook anywhere for the first time my computer was on the company network, configured for outlook anywhere, when I try to open outlook I am prompted for my domain credentials but it doesn’t let me in because it can’t authenticate me because I am not connected to a domain. How is this suppose to work? If I cancel the login then I am working with my offline folders only. I am trying to understand the advantages of outlook anywhere but I don’t understand it is suppose to work.

      Thank you,

      AlyceO

      1. CBlue

        Make sure that it works on the LAN first, and is configured to use the Exchange server on the LAN. THEN, set up for Outlook Anywhere proxy server (“remote.yourdomain.com”, in the case of SBS 2011 default.) in the “More settings” go to the “Connection” tab and click the Exchange Proxy Server button and follow the original directions to set up your publicly accessible and named Exchange Server in the url box, and pick NTLM as authentication method. Should work at this point. Test it as follows: leave the domain, Launch Outlook, while connected to the Internet. Should be able to traverse the firewall and talk to the [Exchange] server at this point.

        1. AlyceO

          CBlue it does work on the LAN, but our admins have us use Basic Authentication, not NTLM. I think I know what the issue maybe I will try that. Thank you for the information.

          AlyceO

  41. chan

    Hi Paul,

    I need help. What are the requirements in setting up a outlook exchange server 2010? Such as; server (physical), domain (paid) and software…

    Thanks in advance

  42. Thomas

    Hi Paul,

    If you have FBA enabled on your TMG listener and OA is configured for NTLM, i believe i wont be able to authenticate through TMG. For some reason, the MS whitepaper implies that if you have a FBA Listener you will have only Basic Auth delegation available for OA.
    In my case FBA listener works with my OA rule only if i pass through TMG by configuring the Authentication delegation to No Authentication but clients may authenticate directly.

    I would like to keep FBA on TMG and NTLM on OA for my domain users, but this causes issues with the OAB (web-based) download when passing through TMG, causing a credentials pop-up box.

    Any ideas?

  43. Atif

    After setting all the configuration above.i still get error message of invalid certificate.Cant we use self signed certificate for outlook use anywhere??
    What exactly is the procedure ogf generating self required certificate for use anywhere????

    1. victor

      install the self signed certificate on the client. as a trusted root ca

  44. Sam

    Thank you so much. This saved my bacon in a training session with 30 users who were training on Tasks. We found out the day of training that our VPN connection would not be allowed through the guest network available at the training center. With your help we had it all set in 15 minutes and training could continue.

  45. Engin

    Hii,

    How to change my server outlook anywhere name? I im read and applying this article but I dont change my server name.

  46. bingo

    MY outlook does not have the option of outlook anywhere.im using POP/SMTP email configured with ip address.I need to access my mails every where i go, as long as am connected to any network.

  47. jay

    Hi sir,

    I have some queries,

    1 of my client is complaining that, while their external users trying to connect with outlook it takes 9-10 mins & after connecting to outlook when they try to send mail it takes 40-45 secs,
    there is not any issue with OWA,

    Please help me to resolve this issue,

  48. kor-kantos

    don’t forget to enable the rpc overt http feature or the outlook anywhere won’t work

  49. Sophaktra SOK

    Dear Team,

    How are you? Hope you are fine, now I am facing 1 problem relate to outlook anywhere. I am using Windows Server 2008 R2, Exchange Server 2010. I had enable outlook anywhere on my server and I bough the certificate from DigiCert for my exchange server. But when I am using online tools for exchange connection testing “https://www.testexchangeconnectivity.com/”. I got the error as the below:

    Testing RPC/HTTP connectivity.
    The RPC/HTTP test failed.

    Test Steps

    Attempting to resolve the host name mail.thakral.com.kh in DNS.
    The host name resolved successfully.

    Additional Details
    IP addresses returned: 175.28.3.58
    Testing TCP port 443 on host mail.thakral.com.kh to ensure it’s listening and open.
    The port was opened successfully.
    Testing the SSL certificate to make sure it’s valid.
    The certificate passed all validation requirements.

    Test Steps

    ExRCA is attempting to obtain the SSL certificate from remote server mail.thakral.com.kh on port 443.
    ExRCA successfully obtained the remote SSL certificate.

    Additional Details
    Remote Certificate Subject: CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
    Validating the certificate name.
    The certificate name was validated successfully.

    Additional Details
    Host name mail.thakral.com.kh was found in the Certificate Subject Alternative Name entry.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.

    Test Steps

    ExRCA is attempting to build certificate chains for certificate CN=thakral.com.kh, OU=IT, O=Neeka Limited, L=Phnom Penh, S=Phnom Penh, C=KH.
    One or more certificate chains were constructed successfully.

    Additional Details
    A total of 2 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.

    Additional Details
    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn’t expired.

    Additional Details
    The certificate is valid. NotBefore = 6/12/2012 12:00:00 AM, NotAfter = 6/19/2013 12:00:00 PM
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn’t detected.

    Additional Details
    Accept/Require Client Certificates isn’t configured.
    Testing HTTP Authentication Methods for URL https://mail.thakral.com.kh/rpc/rpcproxy.dll.
    The HTTP authentication methods are correct.

    Additional Details
    ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
    Attempting to ping RPC proxy mail.thakral.com.kh.
    RPC Proxy can’t be pinged.

    Additional Details
    A Web exception occurred because an HTTP 404 – NotFound response was received from IIS7.

    Please kindly help me to support me on that case. Now I has no solution to fix the exchange server for outlook anywhere yet. But for Exchange ActiveSync, it is working properly. THANK

  50. David Han

    Great article and helped me to setup my outlook anywhere deployment

  51. James

    Can you help, please?

    What do i have to configure to support multiple outlook anywhere email domains with single Exchange 2010 site?
    e.g. webmail.domain.com, webmail.domain2.com, webmail.domain3.com

    Can i run like this (or to this effect via another configuration methods)?
    Enable-OutlookAnywhere -Server ‘CASarray’ -ExternalHostname ‘webmail.domain.com’, ‘webmail.domain2.com’, ‘webmail.domain3.com’ -DefaultAuthenticationMethod ‘NTLM’

    Thanks in advance.

    1. Lal

      Hi

      Have you configured multiple domains?

      Regards
      Lal

  52. john

    Looking for info of publishing outlook anywhere via TMG 2010 as opposed to a different firewall

  53. Exchange reader

    Hello i think you missed out one thing here which is SSL for outlook anywhere could you update the same as well which will be usefull for the readers

  54. Chazzie

    Hello, you are missing one part. What are we supposed to put in the Exchange Server box right above the user name??? It’s the first thing is asks you when you click profile properties.

Leave a Reply