Configuring Outlook Anywhere for Exchange 2007 SP1
Updated April 22, 2008
Exchange 2007 has rebranded rpc/https which is now called Outlook Anywhere and has even made some slight modification from RTM to Exchange 2007 SP1. +
http://msexchangeteam.com/archive/2007/11/08/447484.aspx
When utlizing Outlook 2007 the autodiscover service is heavily tied into Outlook anywhere functionality, I am going to reference a previous posting that explains those functions in detail.
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html
With Exchange 2007 in order to allow clients remote access to the mail system you will need to install an Exchange 2007 CAS server which will allow clients to access thier mail via Imap,Pop,OWA,Active Sync, and Rpc/https (outlook anywhere).
For this article I am going to skip the installation of each server role and just work with the configuration. The lab consists of 1 DC, 1 CAS/Hub and 1 MBX server running Windows 2003 and Exchange 2007 SP1.
Rpc/http was first introduced with Exchange 2003 and has been renamed with Exchange 2007 to Outlook Anywhere. In order to use this functionality with Exchange we must install the RPC over HTTP Proxy networking component on a server (recommened on your Exchange server).
What does this network componet do for us?
RpcProxy.dll is an Internet Server API (ISAPI) that runs in Internet Information Services (IIS). RpcProxy.dll listens for activity on the RPC virtual directory
The rpcproxy.dll requires authentication and will not pass anonymous request even if IIS is configured for anonymous authentication.
When an Outlook clients typicaly communicates with an Exchange server the client attempts to connect via Mapi Rpc, with Rpc/http Outlook makes a http connection to the rpc proxy server which strips the http and send the rpc request to tha appropriate Exchange server.
Installing Rpc/http networking componet:
1. From the Add/Remove programs select Windows components
2. Select Networking Services then details
3. Select Rpc over http proxy -> OK
4. Click Next to start the installation
5. Click Finish to complete the installation
How do we verify the installation?
1. Validate you have 2 virtual directories installed called RPC and RPC with Cert
The 2 new virtual directories points to C:\WINDOWS\System32\RpcProxy which is the location of the rpcproxy.dll
2. Verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)
Later we will look at a tool called rpc dump that can be used to troubleshoot connectivity problems.
After we have installed our CAS server we need to enable Outlook Anywhere which can be done in 1 of two ways, 1. EMS (command line) or 2. EMC (gui)
1. EMS
To work with Outlook anywhere via EMS we would use the the following set of commands Get-OutlookAnywhere,Set-OutlookAnywhere,Enable-OutlookAnywhere.
A. Open EMS
B. Now we will use the Enable-OutlookAnywhere command to enable this feature
–The following switches are available for the command
** Pre SP1
Enable-OutlookAnywhere -DefaultAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-Server ] [-TemplateInstance ] [-WhatIf []]
** Post SP1
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ] [-WhatIf []]
For this demo I used the following command
[PS] C:\>Enable-OutlookAnywhere -Server vmcashub -SSLOffloading:$false -ExternalHostname vmcashub.vn.local -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
*Note if you use the defaultauthenticationmethod is will override the clientauth and IISAuth **
*Setting the ClientAuthMethod is what autodiscover will user to configure the client*
Enable-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124993%28EXCHG.80%29.aspx
We can ouse the Get-OutlookAnywhere command to view our configuration
Get-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124263%28EXCHG.80%29.aspx
Once we have enable Outlook Anywhere any future modification will be done with the Set-OutlookAnywhere command (i.e. changing authentication)
Set-OutlookAnywhere http://technet.microsoft.com/en-us/library/bb123545%28EXCHG.80%29.aspx
2. EMC
a. Open EMC –> Server configuration –> client Access Server
b. Select the CAS server you want to enable
c. Click the button to Enable Outlook Anywhere
d. Enter the External name that clients will use to connect to your Exchange Server, note this name should match the name on your certificate. Select the authentication method of choice
e. On the Completion Wizard Click finish
As you saw there is very little configuration when enabling Outlook Anywhere we have 3 options
1. Url 2. authentication and 3. Enable SSL offloading
Once we have Enabled Outlook Anywhere we can validate the registry key has configured correct ports for communication to our mailbox servers. Note only the name listed in the key can be used by clients to connect and you will notice there is no IP address listed so testing via IP will fail through the rpc proxy.
1. Click start Run
2. Regedit – this will open the registry editor
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
4. Notice the Dword called Enabled set to 1
5. There is a String value called “ValidPorts”
VMMBX1:6001-6002;VMMBX1:6004;vmmbx1.vm.local:6001-6002;vmmbx1.vm.local:
**Note if the port are not listed it could take up to 15 minutes to update or you can restart the Microsoft Exchange Service Host **
we can see that the rpc proxy connects to our mailbox server on the following port 6001-6002 and 6004. Each port is defined below
Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004
In our client testing we can validate the proxy making connections to our mailbox server with these ports.
Configure a client:
Manually
1. Create a New profile
2. check the manually configure box at the bottom
3. Select Microsoft Exchange
4. Input your mailbox server name (this could be FQDN or Netbios Name)
5. Click the “More settings” button
6. Select the connections tab
7. Check the box “Connect to Microsoft Exchange using HTTP” -> Exchange Proxy Settings
8. Input the url of your Outlook Anywhere server, check the appropriate authentication
9. Click OK and finish the profile
2. Autodiscover
** if autodiscover is not working please refer to my blog on autodiscover **
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html
1. Click Add
2. Give a name for the profile
3. Input the display name and users email address and password
**Note a domain logged on user will auto populate the information**
5. Logon to your mailbox
6. Click Finish
Validation:
That we have installed all the components we need to do some testing to validate we have access to our mail.
Check Outlook connection status:
1. Log onto Outlook
2. in the System tray hold the CTRL key and right click the Outlook icon
3. select connection status
You can see our connection shows https, which validates we are going through the CAS server and proxying our connection.
Netstat:
We can use netstat to show our connection for each hop Client-> CAS -> Mbx -> DC
Open a command windows on the CAS server and type netstat -na
You can see from the screen shot above that our client 192.168.1.5 is making connections are port 443 to our CAS server 192.168.1.101
As noted in the connections window from Outlook you can see that the Outlook client makes multiple connections to the CAS server on port 443 and this is validated in the netstat
CAS -> MBX
On the mailbox server open a command window and type Netstat -na
The first item to note is our mailbox server listening on ports 6001,6002, and 6004 which is the ports used by rpc/http to make connections
Below you can see our mbx server 192.168.1.102 receiving connections on port 6001 and 6004 from our CAS server 192.168.1.101
MBX -> DC
On our domain controller we can see Ldap 389 and GC 3268 ports with connections from both our CAS server and MBX server.
Packet Captures:
We can use a tool like NetMon or WireShark to perform network captures on each hop as well to validate our traffic between each node. We must note this is encrypted traffic so we will only see sessions between the nodes
This capture is run on the XP client and we can see TLS communication between our client 192.168.1.5 and our CAS 192.168.1.101
This capture show communication from the CAS 192.168.101 to the mailbox server on port 6001/6004
See the highlighted section showing a destination port 6001 from the CAS to the MBX server
See the highlighted section showing a destination port 6004 from the CAS to the MBX server
Mailbox Server -> DC/GC
Below we can see our mailbox server making connections to the DC Ldap port 389
RPCPing:
RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.
You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051
These tests show us that we are properly connecting through the rpc proxy server to the correct ports associated with Outlook Anywhere.
reference the above MS article for a break down of the switches.
Windows 2008 has added some additional perf counters that we can use with Rpc/Proxy that can assist in identifying connectivity and user load.
common issues:
1. Certificates – If the client machine does not trust the certificate that is being presented it will fail to connect. So if you are using self signed or self issued certificates you will need to deploy them to each client machine
http://technet.microsoft.com/en-us/library/bb124149%28EXCHG.80%29.aspx
![[Google]]( http://www.exchange-genie.com/wp-content/plugins/easy-adsenser/google-light.gif)
April 22nd, 2008 at 7:15 pm
hi Brian,
i discovered your blog 2 days ago and i have to say; it is now the first stop if i need to research anything on exchange 2007.
quick question about the first step: in my case we have a clustered mbx; would i install the rpc protocol on both nodes and the cas server as well?
thanks for your help
ignazio
April 23rd, 2008 at 8:30 am
hi Brian,
i discovered your blog two days ago and now i make it my first stop for e2k7 problems.
i have a quick question for you: in my environment we have a clusterd mbx role with two nodes. do i need to install the rpc component on both nodes?
thanks again for your help.
April 23rd, 2008 at 3:32 pm
Ignazio,
I am assuming you are refering to an NLB cluster for your CAS servers. In that case I would say yes since both nodes will distrubte the inbound load and it will also provide you redundancy if a node is stopped from the NLB or goes down.
April 23rd, 2008 at 3:35 pm
I am glad my blog has been of assistence to you. If there are any topics you would like to see p lease let me know.
April 23rd, 2008 at 7:29 pm
Ignazio, I just saw your first comment… you do not install the rpc proxy on the mailbox servers only on the CAS servers. when the functionality is enable with OL Anywhere the mbx will listen on port 6001,6002,and 6004 and the CAS will put those ports wtih the mbx server names in the registry for you.
The only way you would put it on the mbx server is if you have an all in one box with CAS,mbx combined in a single server scenario.
May 5th, 2008 at 5:16 pm
I have been through this thoroughly and still cannot get past the initial password prompt when setting up a new outlook profile externally, internally all is good, the exchange 2007 server is not a dc as we use sbs but the cert is a real wilcard from digicert, autodiscover works fine but cannot login without VPN, I’ve cheched everything a million times but still cannot get past the password until I connect via VPN, then it works and on server 2008 as a client I can get it working through https once the mailbox is cached.
My tests, on XP with Outlook 2007 I get the password prompt, on Vista with Outlook 2007 I also get the password prompt, windows 2008 with Outlook 2007 will work after the initial VPN setup.
Autodiscover tests succeed, Test-Outlook from EWS is all good, do I need to do some configuring of the RPC ports to connect to my dc, on 2008 I can see all the connections test during your netstat tests. I do get an error about the cert not matching the site from time to time on the clients that are not on 2008 but its a wildcard and they are supposed to work!
May 5th, 2008 at 6:45 pm
julian,
post your email address, I wont publish it and I can email you offline.
May 5th, 2008 at 6:49 pm
Julian,
Also please reference my autodiscover article
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html
May 11th, 2008 at 1:19 pm
This is a very great post. I made some headway on my Windows 2008/Exchange 2007 setup for the CASE side of things.
Only problem I have is when I try to setup the RPC/HTTPS profile, I keep getting the login popup box and my credentials don’t work.
May 12th, 2008 at 1:06 pm
The popup most of the time is from certifiate problems are you using a wildcard cert or a private cert?
May 15th, 2008 at 1:59 am
I have have Outlook Anywhere and Autodiscover working. However, when I look at connection status he mail lines corrrectly show HTTP but the directory lines always show TCP rather than HTTP and will not connect when out of the domain. Outlook still seems to work fine except you cannot save new appointments.utlook anywhere and autodiscover working. However, when I look at connection status while the mail lines corrrectly show HTTP the directory lines always show TCP and will not connect when out of the domain. Outlook still seems to work fine except you cannot save new appointments. Any ideas?
May 15th, 2008 at 6:14 am
Im using a cert issued by comodo which has a specific name set but not a wildcard…
Also when I run the Test-OutlookWebServices I get some Successes but 401 Unauthorized errors as well.
May 15th, 2008 at 5:14 pm
mkraftman,
interesting, never seen it split tcp and http….. do have have both boxes checked to always use http first?
May 16th, 2008 at 3:29 am
Yes, I have both boxes ticked. One clue – I have noticed that when inside the domain network the Directory connections over TCP/IP are to my two domain controllers, not the Exchange server (which is not a domain controller). When outside the domain, the failed attempts are to the Exchnage server.
May 16th, 2008 at 3:30 am
Yes, I have both boxes ticked. One clue – I have noticed that when inside the domain network the Directory connections over TCP/IP are to my two domain controllers, not the Exchange server (which is not a domain controller). When outside the domain, the failed attempts are to the Exchnage server.
May 16th, 2008 at 12:59 pm
What server OS are you running? Also please test with rpcping, I bet you are failing on port 6004 to connect to the directory.
when its going tcp/ip the client is going direct to DC however when using rpc proxy , you hit the CAS via 443 -> mbx which on your behalf connects to dc/gc
May 20th, 2008 at 11:10 am
hi Brian,
quick question;
when outside the lan the only thing that does not work is the “out of office assistant”; everything else works like a charm.
thanks for your help.
May 20th, 2008 at 7:02 pm
out of office usees web services, validate when you run a test from the OL client the proper url is being returned to Outlook
May 22nd, 2008 at 12:54 am
I am using Windows Server 2008 x64. It turned out to be a bug with IPv6. See the solution at http://blog.aaronmarks.com/?p=65 .
I disabled IPv6 on my LAN card network connection and added the FQDN of the server to my HOSTS file and it worked without the need to change the registry settings as described in this link. All connections are now made over HTTPS.
May 22nd, 2008 at 3:52 am
glad you resolved it, I figured thats what you where hitting which is why I ask about the OS version. I believe I have a note in this article about an IPv6 issue which causes the directory 6004 to have issues.
However MS still does not have an official kb on this yet
May 30th, 2008 at 6:22 am
Brian. GREAT post. I need a bit of clarification though on one of your replies. We too are having problems getting out of office assistant to launch when using OA. What do you mean when you say “out of office uses web services, validate when you run a test from the OL client the proper url is being returned to Outlook.”
How do I validate? What test am I running? What am I looking for?
May 30th, 2008 at 6:23 am
Brian. GREAT post. I need a bit of clarification though on one of your replies. We too are having problems getting out of office assistant to launch when using OA. What do you mean when you say “out of office uses web services, validate when you run a test from the OL client the proper url is being returned to Outlook.”
How do I validate? What test am I running? What am I looking for?
May 30th, 2008 at 5:07 pm
OL 2007 makes calles to the url you have configured https://yyy/EWS/Exchange.asmx you can open a web browser and attempt to logon to that url, you should get an xml return.
You can also look in the post how I demo testing using OL to get the urls attempted.
If Out of Office is not coming up there is either an authentication problem or misconfiguration.
July 7th, 2008 at 11:41 am
i had a cert hostname error, so i used this link http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
to fix that problem. basically pointing all my autodiscover addresses to a different auth point. is the reason my autodiscover will not work with rpc over http? i get auth errors when trying to login via rpc, the rpc connection seems fine as i tested the connection. just authentication is my problem…thanks for any help
July 7th, 2008 at 1:47 pm
can you provide me more info about your configuration
July 9th, 2008 at 3:20 pm
Our Configuration:
CAS,MB, and HT all on one box, fresh installation of Exchange 2007 on a windows 2003 R2 box.
the internal address is mail1.sea.lcl
the external address is owa.sea.org
all the SSL certifications are set to owa.sea.org
i have reconfigured all directories to auth through owa.sea.org
using the commands that i posted in the link of my prior post.
Thanks for any help, any additional information, please let me know
when trying to login via RPC ver HTTP, i get auth errors, tried both owa.sea.org and mail.sea.lcl as the internal address.
July 20th, 2008 at 10:39 pm
hello Brian
i have done all the configuration according to your instructions but unfertunatly when i trying to connect from out side its always geting “the connection to microsoft exchange server unavailable outlook must be online or connected to complete this action”
then i did the check via LAN and when i am trying to login via LAN its always connecting TCP/IP not the HTTPS
please help
Susika
July 20th, 2008 at 10:42 pm
Hello Brian
i have done all configuration according to your instructions but when i am tryng log from out side its always geting error “the connection to microsoft exchange is unavailable outlook must be online or connected to complete this action”
then tried via LAN also biut via LAN its connevct though tcp/ip
need your help
Susika
July 21st, 2008 at 6:57 am
Susika,
This could be any number of items, are you using a public cert or private?
Are you using Windows 2003 or Windoows 2008?
Did you test rpc ping from the outside?
firewall blockage?
July 21st, 2008 at 12:10 pm
I have a quick question about outlook anywhere. I ran through your article and configured everything as required. I am able to connect internally but unable to connect externally. Do I need to open any ports in my firewall to let externally connections into my exchange server. Let me know what you think
July 22nd, 2008 at 6:19 am
Hi Brian, Im hoping you may have some more sage advice with this issues. Ive tried everything you suggest in your blogs that i have found with no success. Here is what i've been posting around the internet hoping i might get some help.
Hi Everyone.
So, I am in the process of creating an exchange 2007 server for our company. I have everything working internally and OWA works fine externally. The problem is I cannot configure Outlook externally to connect to the exchange server VIA RPC over HTTPS. When external, i get 'server cannot be resolved' error messages after it prompts me for user name and password multiple times. I can access all the websites (autodiscover.xml, ews etc.) externally through IE after entering a valid user name and password but cannot access the /rpc website (it just keeps asking for credentials). My set up is a little something like this:
- PDC, global catalogue server
- exchange server joined to the domain as a member server
- i purchased an SSL certificate for exchange.myextdomain.com
- i have changed all of the virtual directories to use exchange.myextdomain.com\therest
when i run a 'test-outlookwebservices | fl' from EMC i get the following returned:
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address admin@myextdomain.com.
Id : 1007
Type : Information
Message : Testing server myserver.myintdomain.local with the published name https://exchange.myextdomain.com/EWS/Exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://exchange.myextdomain.com/Autodiscover/Autodiscover.xml.
Id : 1013
Type : Error
Message : When contacting https://exchange.myextdomain.com/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
yet i can log into the autodiscover web site fine internally and externally using https://exchange.myextdomain.com/Autodiscover/Autodiscover.xml
In IIS, i have only 'basic' and 'windows integrated' authentication for all of these web services. the certificate works perfectly for OWA, i have an A record setup in DNS for autodiscover and have also tried a CNAME for autodiscover .
Can anyone see where i am going wrong here, this is driving me insane i tells ya.
Thanks a lot for any help
Colin
July 22nd, 2008 at 3:30 pm
colin shoot me an email so we can chat offline
July 22nd, 2008 at 3:32 pm
the only port that is required is 443 to the CAS server, there is a known issue with W2k8 and ipv6 that will cause issues as well as certificates. Are you using a private or public cert?
July 22nd, 2008 at 3:50 pm
I am believe that I am using a private key that was generated by exchange on the install. I have port 443 open and I can get through with the owa in IE. Another question, do I need to have the Certifcate Services on my server running for it to work? Could that possibly be causing me problems.
I go through OWA on my laptop and accept the Cert through there and install it on my machine, but when I am internal and connect through using outlook anywhere I login and then I get a prompt for the cert even after I install it there. When I do the same test internally with my lap top I do the same thing but the don’t get the prompt for the for the cert. But, I am still not able to connect externally
July 25th, 2008 at 5:03 am
Heylo Brian, I hope that you can help me with a setup of Outlook via HTTP.
I have a single server running Windows Server 2008 SP1 and Exchange Server 2007. I have gotten local Exchange via Outlook as well as OWA working quite well.
One of our users has a laptop so I have been trying to get Outlook via HTTP working for him with no success. The problem seems to be with the security certificate. The error message when trying to use Outlook is as follows:
——————
There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the ame of the name of the target site xx.xx.xx.xx.
Outlook is unable to connect to the proxy server. (Error Code 10)
——————
I am new to certificates, but as far as I can tell I have named it as the IP address of the server.
I have installed the certificate on the laptop using the instructions detailed on this page: http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
Do you have any suggestions for me?
Thank you in advance!
Love and Light,
Kristoff
September 10th, 2008 at 8:35 am
Hi Brian,
Thank you for the write up…I just despise the boring
September 10th, 2008 at 8:43 am
Hi Brian,
Thank you for the post; so much better than those boring MS technet-type posts.
I wonder how I can get a bit of assistance with getting this to work as it should. I ran the “Test Email Autoconfig” from the sys tray and that seems ok, but when I do the RpcPing test, I get the “Error 12175 returned in the WinHttpSendRequest” error or if I try to change things in the cmd line here and there I get the “Response from server received: 401 Client is not authorized to ping RPC proxy” or “Exception 1722 (0x000006BA) RPC Server is unavailable” errors. I haven’t yet tried to connect my Outlook from home yet…just wanted to make sure I have everything working locally (at work) first…all my “t’s crossed and i’s dotted”.
I have 2K7 SP1 and Outlook 2K7.
Thanks!
Shane
October 9th, 2008 at 12:32 pm
Hey Brian,
Amazing article, very well written. I am having very little luck lately getting my outlook anywhere to work which is how I discovered you in the first place =). I just recently had to reinstall the CAS roles into exchange and in doing so I had to run some commands in the MES to remove some virtual directories. I noticed when I started your tutorial that rpc had already been installed, but i figured i’d start from scratch and do it anyways. At one point, when I went to run my command to enable outlook anywhere from the shell, i was told that the rpc virtual directory already existed. So, I went and deleted it. As a moron, and a noob to exchange, I then realized its not super easy to recreate. Which leaves me where I am now. Outlook anywhere is fully configured and I’m at the point now where I’m just trying to test it using rpcping..but I’m getting this error: Exception 1722 (0x000006BA)
RPC Server is unavailable
Is this because my idiocracy removed that RPC virtual directory? Is there any way to get it back? I figured disabling and re-enabling outlook anywhere from MEC would recreate that vd if necessary. Apparently I’m wrong :/
Thanks again!
October 9th, 2008 at 1:37 pm
no a problem, I would start by uninstalling rpc proxy service from the server depending on 2003 or 2008 the steps are a bit different.
disable OLA and the reinstall rpc proxy and enable OLA.
That should get you on the right track.
October 10th, 2008 at 6:46 am
fantastic. that did the trick, disabling outlookanywhere, uninstalling rpc proxy from appwiz.cpl and reinstalling it, then re-enabling outlookanywhere again. I’m able to test it using rpcping and everything, this is great and i do appreciate your help and tutorial!
October 10th, 2008 at 5:59 pm
glad you got it fixed up
October 28th, 2008 at 8:38 am
Hi Brian,
Great BLOG as usual.
We are using ISA 2006 in front of our Exchange System and have Outlook Anywhere working from outside of our company using help from – http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part6.html
But when we connect over the LAN we get prompted for a username and password.
This is in a lab environment so it isn’t impacting our production.
Any ideas why it is prompting us?
John.
October 28th, 2008 at 11:47 am
I would need to know more about your configuration but sounds like you have NTLM setup on the outside and basic on the CAS.
Internal you are hitting the CAS direct?
Set both NTLM and Basic on the CAS with the set-outlookanywhere command
November 27th, 2008 at 1:36 am
I am having similar issues to some of your other posters but cannot see a clear answer. I cannot successfully create a new Outlook profile using RPC over HTTPS. If I create the profile using VPN and make the initial connection, it works fine after that without the VPN. We are running Exchange 2007 on a single box with DC on there as well. Any help would be appreciated.
November 27th, 2008 at 9:33 am
have you gone through the rpc ping tests in the blog to validate everything?
Are you running Windows 2008 or 2003?
What rollup are you running?
November 27th, 2008 at 1:20 pm
Have you added autodiscover.domainname.com to your external DNS pointing to your email server.
November 28th, 2008 at 2:21 pm
Nice blog, I have a question…
When logging into outlook users have to authenticate as domain\username. (not in OWA I found the setting to force a default domain there)
Is there any way to set this so by default they all use the default domain in outlook and only have to type their usernames?
Thanks.
December 1st, 2008 at 11:01 pm
I got the exception 1722 error message when running rpcping to port 6004. I reinstalled the rpcproxy, but that didn’t help. The registry settings were wrong and the hosts file needed to be modified because of the ipv6 issue and loopback still being used.
Thanks for the help.
madengineer.blogspot.com
December 2nd, 2008 at 8:29 pm
have you tried disabling OLA and enabling it….
December 8th, 2008 at 12:31 pm
Awesome Blog…I hope you can help me out. I have a 2008 Server running Exchange 2007 Sp1. I can’t seem to get Outlook Anywhere up and running. Everything else on the server is running great. I can get all the way to the authentication part and it just tells me the server is unavailable. Thanks in advanced for any help with this.
December 9th, 2008 at 5:08 am
What Exchange rollup are you running? I believe RU4 or RU5 fixes the ipv6 issue with windows 2008 and a ntlm prompting issue.
December 10th, 2008 at 11:03 am
I have an interesting issue.
BTW great blog. Its on my favs.
Issue: I can connect to Outlook Anywhere just fine when on a standalone system outside of my domain, but when trying to get in on a domain member system it keeps prompting me for a password, over and over again. I enter the username and password, and it does not work, it keeps on prompting me.
Any ideas ? Thank you
December 10th, 2008 at 4:32 pm
are you running Winodws 2008? What RU are you running for Exchange?
sounds like 1 of 3 potential issues.
December 12th, 2008 at 5:35 pm
Thank you for the quick response.
I am running Windows 2003 R2 with Sp2.
Exchange 2007 w. sp1. I am not sure what roll up that takes me to. I believe it might be RU 4? How do i confirm the RU?
when i check for Updates on Windows i notice RU 5 is offered.
Thank u, I eagerly await.
December 13th, 2008 at 8:40 am
post an email address I wont publish it so I can take this offline.
December 15th, 2008 at 4:29 pm
Has any one ever had a similar issue?
January 8th, 2009 at 4:01 pm
I also have Exchange 2007 running on Windows Server 2008. Everything work but rpc proxy. I get the unauthorized error no matter what I do. I’ve uninstall rpc and re-installed. I’ve checked the registry for the correct proxy ports, everything looks good but it doesn’t work.
Help!!
January 8th, 2009 at 6:03 pm
What rollup are you running there is an issue with ipv6 pre rollup 4 or 5?
January 16th, 2009 at 9:54 am
I have successfully running exchange 2007.
Planning to setup OAW. Could you help me to know whether my certificate would work or not.
The OWA is working with the default certificate generated during exchange 2007 installation. This certificate points to the FQDN Name of my Exchange server which cannot be resolved over the internet.
my OWA address is mail.mydomain.org/owa.
My Question is, in OAW setup what exchange address do i have to put?.
Do i have to create a new certificate which points to mail.mydomain.org?
Regards
Shoeb
January 27th, 2009 at 9:50 pm
Hi there and thank you time and effort in helping out the not so Exchange-brilliant minds.
I have Exchange 2007 SP1, Windows server 2008, CAS running on the same server. Go daddy UCC certificate. OWA is working fine. all the iphones and Blackberry phones are synching fine. I enabled Outlook anywhere and rpc/http is installed. It works internally but externally, I keep getting prompted for the password with no success!
I saw some posting with similar symptoms but no clear resolution.
Any advise?
Thank you,
Eddie
January 28th, 2009 at 9:19 am
hey, glad to help…. let move this to the forum section to make it easier to go back and forth
February 3rd, 2009 at 1:40 pm
Hi – I love the blog posts. I was hoping you could help me with a problem I am having. I have an issue with LO2007 resetting the proxy server and authentication settings intermittently. When this happens, a user opens OL and attempts a connection using OL Anywhere from off network. It fails, and when they check the settings, the see that the https:// has been set back to CASNetbiosName, which is not the name published on the cert (should be https:\\mail.mydomain.com.) Also, the authentication is reset to Basic from NTLM. I have checked all my InternalUrl settings on the ClientAccessServer and WebServicesVirtualDirectory and all are set correctly and in accordance with my SAN certificate. Any ideas on where I should look for an answer to this issue? Thanks!
February 13th, 2009 at 9:31 pm
I am having the same issue that some others appear to have had, but I can’t seem to get mine to work. Everything is fine as long as Outlook is setup while on the domain. The user can then access from outside the domain without a problem. However, setting up the user initially from outside the network fails every time. All tests seem to resolve just fine, excpet for the rpcping test – I get exception 1722. I have already disabled Outlook Anywhere, uninstalled RPC over HTTP, reinstalled RPC over HTTP and re-enabled Outlook Anywhere. My domain has two servers – both running Server 2008. One is the DC and the 2nd is used for client access and the mailbox server. If you could help, I would appreciate it!
February 14th, 2009 at 11:06 am
Have you disabled ipv6 on the Exchange server? What RU are you running?
Also run this against your environment https://www.testexchangeconnectivity.com/
February 14th, 2009 at 6:23 pm
I just updated to RU 6 this morning. Yes, ipv6 is disabled. I have disabled it via the lan properties as well as the registry value in one of your forums.
When testing against testexchangeconnectivity.com I succeed for autodiscover, but not Outlook anywhwere. The message is AuthPackage was not specified in EXPR section of AutoDiscover Response. I followed the link on the page and have run Set-OutlookProvider EXPR -Server $null. Once I recycled the MSExchangeAutodiscoverAppPool I now fail with the message
Attempting to ping RPC Endpoint 6004 (NSPI Proxy Interface) on server EXCHANGE.winrx.local
Failed to ping Endpoint
I have now gone back to the rpcping and am failing with a 1722 error. I added the -E argument and successfully ping. What am I missing here?
February 15th, 2009 at 7:36 am
let move this to the forum section it will be easier to go back and forth…
March 10th, 2009 at 11:38 am
Hello,
I hope that you can helpme, i have a issue to conect Outlook 2003 to my Exchange Outlook Anywhere 2007.
I can connect all my clients whit Outlook 2007 without troubles or issues, but Outlook 2003 can not connect to the Directory by HTTPS only connect to the mail server, so lost some functionalities.
April 6th, 2009 at 9:52 am
Just wanted to leave a comment regarding the IPv6 issue. I had RU4 installed on my Exchange 2007 single server setup, but I was still unable to use OA until I applied the hosts fixed described in the KB. So, don’t ignore it just because you have RU4 installed!
April 29th, 2009 at 11:10 am
Hi, Great info. Just wondering if there was any way of setting this up in a test environment (separate firewalled zone) with real outside access but without the “purchased” certificates. This is a proof of concept for roaming users and we don’t want to have to purchased certificates for a system that will go away after the end of the POC.
Thanks,
April 30th, 2009 at 8:08 am
Yep, all the configuration would be the same however you will need to install the root cert on the client machine so that is chains up else Outlook will just keep prompting you because of the cert issues.
April 30th, 2009 at 2:41 pm
Thanks, I’m going to give it a try.
May 2nd, 2009 at 11:35 am
i have single exch 2007 (CAS, HUB, MB) also DC in Seperate Server. Also i have ISA2004 as edge server. Godday’s UCC SSL Certificate installed in exch 2007 and imorted to isa, rules for owa and rpc havebeen created.
OWA is working fine by Outlook anywhare is not working why (internally and externally).
But i have doubt in rpc proxy valid ports are only like this.
EXCH1: 100-5000.
Do i need to change as suggested here(RPC over HTTPS Server Configuration Amset_info.mht).but this article for ex 2003.
My question is do need to do the same for exchange 2007
May 3rd, 2009 at 12:37 pm
Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004
what issue are you seeing.. As you most likely are having the IPv6 issue, have you disabled ipv6?
May 4th, 2009 at 6:04 am
thanks for your willingness to help. i don’t have win 2008 server. my one is win 2003 server. so i thing my problem will not be IPv6 issu. am i correct?
i did the changes is in valid ports as follow for my exchange 2007 manullay.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
“ValidPorts”=”
EXCH1:100-5000;
EXCH1:6001-6002;
EXCH1.domain.local:6001-6002;
ourdc:6001-6002;
ourdc.domain.local:6001-6002;
EXCH1:6004;
EXCH1.domain.local:6004;
ourdc:6004;
ourdc.arbexperts.local:6004;
mail.domain.com:6001-6002;
mail.domain.com:6004;
ourdc:593;
ourdc.domain.local:593;
EXCH1:593;
EXCH1.domain.local:593;
mail.arbexperts.com:593;”
but after some time it is automticaly changing to as follow.
EXCH2003:6001-6002;EXCH2003:6004;EXCH2003.domain.local:6001-6002;EXCH2003.domain.local:6004;EXCH1:6001-6002;EXCH1:6004;EXCH1.domain.local:6001-6002;EXCH1.domain.local:6004
May 4th, 2009 at 6:13 am
We are runnning on coexistance with exchange 2003 and exchange 2007. it will be go for some time. and both are in seperate one server envirnment.
EXCH1 IS NETBIOS NAME OF EXCHANGE 2007 ((CAS, HUB, MB)
EXCH2003 IS NETBIOS NAME OF EXCHANGE 2003
OURDC IS NETBIOS NAME OF DOMAIN CONTROLLER
PLEASE HELP
May 4th, 2009 at 1:41 pm
I know there are some OWA issues when you have a cas/mbx and have it front a 2003 environment….
May 8th, 2009 at 2:52 pm
Exchange 2007 sp1 running on W2k3 x64
cert is 3rd party from verisign using mail.publicdomainname.net
OWA and activesync work perfectly
can successfully authenticate against domain when going to
https://mail.publicdomainname.net/autodiscover/autodiscover.xml
cannot successfully authenticate against domain when going to
https://mail.publicdomainname.net/rpc
Get-OutlookAnywhere
gives Identity of privatelanhostname\rpc
cannot authenticate using Outlook 2007
May 9th, 2009 at 11:00 am
Sorry for dealy response,
i have no issues in owa, it is working fine. my my problem in outlook anywhare/autodiscovery
June 8th, 2009 at 11:37 am
Were can i get more info about configuring in windows 2008 server
June 11th, 2009 at 1:12 pm
What are you looking for there really arent any changes between 2008 and 2003… the only item to watch out for is issuses with ipv6
June 26th, 2009 at 11:45 am
Hi I have a Server 2008/Exchange 2007 lab set up and everything seems to be working well. The only issue I have is that Outlook Anywhere is working but only when I make the intitial connection on the internal side of the network. If I try to configure a new outlook 2007 account from the internet it fails. I intially thought that it had to do with autodiscover but it seems that the client is getting all of the right information from the autodiscover service and the ISA logs show that it is sending the traffic to the RPC/http proxy server it is even making a successful conection for RPC_Out_Data. RPC_in_Data is failing with an error 64 stating that the specified network name is no longer available. I have read that this is not uncommon and I am getting the same RPC_IN error on the pre connected accounts that are working so I dont know if that is the problem or not.
Any Ideas are appreciated
Thanks
July 3rd, 2009 at 5:52 am
Hi Sir,
I am a newbie when it comes to outlook anywhere configuration, I have a server running in Windows 2008 and Exchange 2007 SP1 on the same machine. Everything works fine except OA, I already enable RPC over HTTP Proxy on Windows Server 2008 and also enable OA in EMC using a basic authentication. Also use https://testexchangeconnectivity.com but still have a problem and OA won’t work. Hope you can help me and it will really appreciated.
Thanks in advance.
July 5th, 2009 at 12:29 pm
Have you disbled ipv6?
July 5th, 2009 at 12:34 pm
can you provide some more information have you used the rpc ping utility I have in the article? Have you disabled ipv6?
July 6th, 2009 at 5:39 am
Hi Sir,
I disabled IPv6 during installation of Exchange but I’ve encounter a problem and it’s been corrected when IPv6 is enabled. If I disabled the IPv6, is there a possibility to encounter any problem, Exchange Server is now on production, hope you understand..
And for the rpc ping utility, I run it but I’ve still encounter problem. Do I need to run it internally or externally?
I have read also that even my test machine is not connected to the domain, I can still connect to OA,correct me if I’m wrong and do I have some certificate issues on this kind of setup??
Hope we can also discuss it offline.
Thanks and more power…
July 6th, 2009 at 1:47 pm
I have been fighting with this for awhile. I have a working certificate set up. From a client machine outside the network I can connect to OWA just fine using https. I can ALSO connect to this URL just fine using https https://myexternalservername.com/rpc When I load the URL I am prompted for credentials, once I enter them I am presented with a blank screen over a secure connection like I should be.
But Outlook Anywhere STILL will not work. I configure the client, try to connect, am presented with a credentials box but get a “can not connect to your exchange server” error when it tries to use them. I have no idea what the problem is. Yes IP V6 is disabled. (Server 08) box.
I can connect using Outlook anywhere internally just fine by the way. My firewall simply is passing port 443 to my exchange server.
July 6th, 2009 at 2:52 pm
Wow, I just got it working. RPCPing tests worked as well but I was still unable to get Outlook Anywhere to work. My fix was this, in the local hosts file include entries for the short and long names of the server. My 2008 server hosts file now looks like this:
127.0.0.1 localhost
::1 localhost (disables IP v6)
192.168.0.16 email2.mydomain.com
192.168.0.16 autodiscover.mydomain.com
192.168.0.16 myserver
192.168.0.16 myserver.mydomain.local
After doing this simple change I was able to make my SSL connection with basic authentication. Crazy.
July 9th, 2009 at 1:28 pm
I have a single-server scenario where everything works execpt outlook anywhere. I ran testexchangeconnectivity.com and came back with the following results and I can’t find anything on how to fix it. I have uninstalled/reinstalled RPC/HTTP turned on outlook anywhere in outlook. This is driving me nuts, so any help would be greatly appreciated.
___________________________________________________________________
Attempting to test Autodiscover for test@domainname.net
Successfully tested Autodiscover
Test Steps
Attempting each method of contacting the AutoDiscover Service
The AutoDiscover Service was successfully tested.
Test Steps
Attempting to test potential AutoDiscover URL https://domainname.net/AutoDiscover/AutoDiscover.xml
Testing AutoDiscover URL succeeded
Test Steps
Attempting to Resolve the host name thebigtimeonline.net in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: xx.xx.xx.xxx
Testing TCP Port 443 on host domainname.net to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname domainname.net in Certificate Subject Alternative Name entry
Validating certificate trust
Certificate is trusted and all certificates are present in chain
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O=”ValiCert, Inc.”, L=ValiCert Validation Network
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 7/4/2009 9:32:00 AM, NotAfter = 7/4/2012 12:57:47 AM
Attempting to Retrieve XML AutoDiscover Response from url https://domainname.net/AutoDiscover/AutoDiscover.xml for user test@domainname.net
Successfully Retrieved AutoDiscover XML Response
Additional Details
AutoDiscover Account Settings – XML Response:
TEST ACCOUNT
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Test
dad892de-af98-4550-8698-ea4ce872583f
email
settings
EXCH
mail.server.local
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MAIL
720180F0
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MAIL/cn=Microsoft Private MDB
https://mail.server.local/EWS/Exchange.asmx
https://mail.server.local/EWS/Exchange.asmx
http://mail.server.local/OAB/9e7231a8-6501-4541-8907-6f4ea11bb5ce/
https://mail.server.local/UnifiedMessaging/Service.asmx
0
0
0
mail.server.local
mail.server.local
https://mail.server.local/EWS/Exchange.asmx
EXPR
mail.domainname.net
0
0
0
On
Basic
WEB
0
0
0
https://www.domainname.net/owa
https://mail.server.local/owa
EXCH
https://mail.server.local/EWS/Exchange.asmx
Validating Autodiscover Settings for Outlook Anywhere
Outlook Anywhere Autodiscover Settings validated
Testing RPC/HTTP connectivity
RPC/HTTP test failed
Test Steps
Attempting to Resolve the host name mail.domainname.net in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: xx.xx.xx.xxx
Testing TCP Port 443 on host mail.domainname.net to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname mail.domainname.net in Certificate Subject Common name
Validating certificate trust
Certificate is trusted and all certificates are present in chain
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O=”ValiCert, Inc.”, L=ValiCert Validation Network
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 7/4/2009 9:32:00 AM, NotAfter = 7/4/2012 12:57:47 AM
Testing Http Authentication Methods for URL https://mail.domainname.net/rpc/rpcproxy.dll
Http Authentication Methods are correct
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic, Negotiate, NTLM
Testing SSL mutual authentication with RPC Proxy server
Successfully verified Mutual Authentication
Additional Details
Certificate common name mail.domainname.net matches msstd:mail.domainname.net
Attempting to Ping RPC Proxy mail.domainname.net
Cannot ping RPC Proxy
Additional Details
A Web Exception occured because an HTTP 404 – NotFound response was received from IIS7
July 23rd, 2009 at 11:01 am
Hi Genie!
Wondering if you could point me in the right direction! I can get outlook to prompt for a username and password, but never actually get in! I see in your pic, like mine, I am getting the internal name of my mail server… I thought this was the problem, but I see you asking about Wildcards, which is what I have. I have activesync and OWA working on the same certificate, but simply cant get the outlook anywhere to work!!
any suggestions?
Thanks,
July 24th, 2009 at 5:58 pm
1. are you using a cert from a trusted publisher?
2. What auth method do you have enabled?
typically when the user gets continous prompting its realted to the cert
July 28th, 2009 at 9:49 am
Hi Genie!
I have a wild card cert from a public auth, DigiCert if I am not mistaken. the cert works great OWA, ActiveSync but NOT for outlook anywhere. I have managed to get to a point where it just poppes up. I do get an error in ISA that says the principle name is wrong, which I figured was normal because of the cert being a wildcard, should I still not be able to get in?
If I enable a cert on IIS on the CAS server, can I have it only be bound for external users? of would I have to setup another IIS site, and move the external sites to this one?
July 29th, 2009 at 4:16 pm
Hey there -
I had the same issue (can’t connect) – turned out the autoconfiguration used the name of my server instead of the domain for login….so…
servername\username
should be:
domainname\username
it was that simple guys and gals.
August 12th, 2009 at 5:58 pm
hi “Christopher Turner”
can You post /send me what did You did to solve that problem – i have similar on w2k8 sp2 with ex2007sp1 rollup 9 on it
?
August 14th, 2009 at 3:39 pm
[...] Posted by Ståle Hansen on 25/04/2009 Here is a great article on enabling, verifying and troubleshooting Exchange Outlook Anywhere http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/ [...]
August 24th, 2009 at 8:10 am
Can I please get clarification…
Can you or can you not connect via a fresh copy of Outlook 2007 using Outlook Anywhere from outside your organisation and setup your email for the first time ?
Everything works 100% if you initially do the setup inside the network and then go offsite but cannot setup outlook from outside.
August 24th, 2009 at 10:53 am
I do that all the time for OL 2007, are you having an issue where that does not work?
August 24th, 2009 at 11:12 am
Yes, it refuses to do a virgin connection…
August 24th, 2009 at 8:39 pm
Just for you by popular demand http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4c4bd2a3-5e50-42b0-8bbb-2cc9afe3216a Exchange 2007 Sp2 has been released
what RU are you running… can you provide more info on your setup?
September 16th, 2009 at 8:06 pm
I have Outlook Anywhere and Autodiscover working. However, when I look at connection status he mail lines corrrectly show HTTP but the directory lines always show TCP rather than HTTP and will not connect when out of the domain. Outlook still seems to work fine except you cannot save new appointments.I am useing windows 2003R2 64 bit and exchange 2007 SP1
September 18th, 2009 at 3:43 pm
I have seen that happen related to ipv6 but you are running 2003 R2..
Is this an all in 1 box as the directory calls go from the mbx server to the DC?
Make sure port 6002 and 6004 are shown as listening on the mbx server
September 21st, 2009 at 9:57 pm
Quick question: I’ve already configured both autodiscover and outlook anywhere and they are both working great. However, several users are asking this question which Im not sure I can help them with:
“is it possible to prevent the login authentication prompt from occurring when using Outlook from a domain-joined pc EXTERNALLY. ”
I assume the login box is when outlook anywhere tries to authenticate and connect you to your mailbox server. So…is this login box a misconfiguration on my part or simply to be expected and can’t be prevented? Once the user enters their credentials…..it connects them just fine. No additinal prompts or errors occur. We just want to know why it doesn’t just pass caches credentials.
September 26th, 2009 at 5:31 pm
If you have ntlm auth enabled and the users profile is set to ntlm then a domain join machine that is external will not require another logon.
January 3rd, 2010 at 12:13 am
Like a previous poster I have a 2k8 server running 2k7 Exchange, I have 1 problem. Only Outlook 2007 clients can initiate an outlook anywhere initial configuration remotely. Outlook 2003 clients cannot do the initial negotiation remotely. Suggestions? I’m getting stumped.
Thanks
Paul
January 5th, 2010 at 4:00 pm
Hi Man
I wish I stumbled on this post a bit sooner, … would have saved me many hours figuring this proxy thing out. Great work!
Regards
Bob
January 7th, 2010 at 11:59 pm
One of the issues we’ve experienced with Exchange 2007 setup and Outlook Anywhere were due to bad permissions on Autodiscover IIS site. It would prevent users from accessing their OAB and/or receiving/sending emails
We had to make sure permissions are inherited on all sub-folders of the autodiscover folder. These are the correct Autodiscover folder settings in IIS:
1) Autodiscover folder properties in IIS -> Directory:
- check Read, Index visits, Log
2) Under IIS -> Directory Security -> Authentication:
- Check on Integrated Windows
- Check on Basic authentication
- NO check on anonymous
3) The folder autodiscover at default location:
C:Program FilesMicrosoftExchange ServerClientAccessAutodiscover
Must have the following security permissions at minimum:
- Administrators: Full Access
- System: Full Access
- Authenticated Users: Read&Execute
These permissions must propogate to all sub-folders and files including the /bin/ folder.
The other thing about OWA, you must have a valid SSL certificate for the external hostname.
Hope this helps…
January 25th, 2010 at 4:27 am
[...] http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/ Categories: Exchange Tags: Comments (0) Trackbacks (0) Leave a comment Trackback [...]
April 10th, 2010 at 10:06 pm
Hi,
I am having problem with outlook anywhere connectivity. I am using SBS 2008 with Exch 07, my pc has windows 7 OL 07 installed. My certificate is not trusted but self-issued by the server.
When I try to connect using proxiy server it gives me error that certificate is not trusted and error code 8. but i suspect it doesnt connect the server using RPC/HTTP.
I will be grateful if you could please tell me how to diagnose this problem and have it working.
Thanks,
May 27th, 2010 at 2:44 am
Hi
I am havenig problem with my outlook, i run a clusterd exchange 2007 in my local domain and then i active transfer mail via internet that all user in my domain can send email via internet but is the computer of my user wasnt at my domain i cant set his mailbox on outlook do you think if i active “use Outlook anywhere” my problem solve or not? in not plz say what could i do
thanks for your blog
May 27th, 2010 at 2:53 am
Hi
thanks for your blog
i run a cluster exchange in my local domain and set it to transfer mail via internet, all user that its comuter is in my local domain can send and recieve mail but if its computer wasnt at my local domain i cant set his mailbox on outlook and thay only can check email from outlook web access, i want to know if i run “outlook anywhere” can solve my problem or not, if no do you have any suggestion for me
with regard
June 5th, 2010 at 4:30 pm
I have not seen a solution posted here to the issue of Outlook not being able to be setup outside the network. We have Exchange 2007 on Windows 2008. Everything is working except being able to configure Outlook to work initially outside the internal network. RPC works fine for clients that were setup inside the network first. I have disabled IPV6 on the server. We have a purchase certificate that works fine for all other https connections.
June 5th, 2010 at 10:35 pm
This configuration works fine from outside the network. When you do a test autodiscover on your client from outside the network what settings are returned?
June 5th, 2010 at 10:37 pm
also have you used the test site yet https://www.testexchangeconnectivity.com/
June 17th, 2010 at 3:59 pm
Same issue as Ken… Outlook Anywhere works perfectly on our internal network. Trying to configure Outlook 2007 from outsite network will not connect. Kept coming back with either asking for password or message saying the server has to be available. What all ports have to be open up on my router/firewall (ie. 6001/6002/6004, etc.)?
When tested my autodiscover from outside network, it came back ‘connectivity test successfully’.
June 17th, 2010 at 4:10 pm
Here’s what I got when running Outlook Anywhere (RPC over HTTP) test:
ExRCA is testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
An error occurred while testing the NSPI RPC endpoint.
Test Steps
Attempting to ping RPC Endpoint 6004 (NSPI Proxy Interface) on server EXC01.DOMAIN.LOCAL
The attempt to ping the endpoint failed.
Tell me more about this issue and how to resolve it
Additional Details
RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime
June 17th, 2010 at 5:44 pm
Found my solution… http://technet.microsoft.com/en-us/library/cc671176%28EXCHG.80%29.aspx
Here’s my Exchange enviornment
DC 2003
EXC07 – SRV2008 – CAS
Pulled my hairs out for the past several weeks and this solution along with disabling IPv6 got me home free.
Thanks all for providing me directions to get this issue resolved.
July 20th, 2011 at 8:54 pm
Hello All:
I was reading thru blog and see my issue addressed by Paul but never saw a resolution to the issue:
Outlook 2003 client attmepts to connect from external over RPC to Exchange 2007 but is constantly prompted for Password.
Outlook 2010 via autodiscover configuration works without issue for same account as well as testexchangeconnectivity.com; seems to be something with the 2003 client specifically.
Is there a difference in the way 2003 connects to 2007 Exchange via RPC? I know that 2003 does not use autodiscover service so that leads me to belive I may be misconfiguring the client.
2003 Client is not domain joined.
Any thoughts?
Thanks in advance;
Ben
July 21st, 2011 at 8:11 am
The most common reason that I have seen on prompting is when clients do not trust the certificate on the Exchange server when using rpc/https. If you where on Exchange 2010 I would say the issue is that mapi encryption is off on Outlook 2003 by default and on with Outlook 2007/2010. You can check that setting on the OL 2003 client but that should not be an issue with Exchange 2007.
What SP are you on and what RU?
July 21st, 2011 at 8:13 am
The most common reason that I have seen on prompting is when clients do not trust the certificate on the Exchange server when using rpc/https. If you where on Exchange 2010 I would say the issue is that mapi encryption is off on Outlook 2003 by default and on with Outlook 2007/2010. You can check that setting on the OL 2003 client but that should not be an issue with Exchange 2007.
What SP are you on and what RU?
November 14th, 2011 at 11:20 pm
Hi there and thank you time and effort in helping out the not so Exchange-brilliant minds.
I have Exchange 2007 SP1, Windows server 2008, CAS running on the same server. Go daddy UCC certificate. OWA is working fine. all the iphones and Blackberry phones are synching fine. I enabled Outlook anywhere and rpc/http is installed. It works internally but externally, I keep getting prompted for the password with no success!
I saw some posting with similar symptoms but no clear resolution.
Any advise?
January 11th, 2012 at 2:22 am
Hi Man, Its a good blog to configure the exchange server.
I follow your steps but my outlook anywhere is not working fine, in finishing when i look for connection status its still showing TCP/IP, but when i go offline n come back online in outlook, it show HTTP/HTTPS, but its changed again when outlook connect to the exchange server
January 11th, 2012 at 10:52 am
I need some help / guidance with setting up Outlook Anywhere? Here is my setup.
We have a forest with 3 domains & each domain is managed by different teams in different countries.we share same exchange org but each domain has it’s own set of MBX, CAS & HUB servers etc. For Ex ABC.Contoso.com, JKL.contoso.com & XYZ.contoso.com. I am admin for XYZ domain. Currently Outlook Anywhere is Enabled on ABC CAS servers & all out workstations in XYZ have ABC proxy settings in outlook using autodiscover to connect to outlook anywhere. Also Autodisocver record is pointing to ABC CAS servers.
My question is we want to enable Outlook anywhere on our Own CAS servers in XYZ domain & all our workstation should be able to use XYZ CAS server outlook Anywhere Proxy URL when doing autodiscover. what is the best way to acheive this? I am looking for some guidance here as i dont want to mess up my production environment.
January 12th, 2012 at 10:29 pm
Stanley,
Autodiscover works in a number of ways depending if you are domain joined or not… For domain joined machines autod will lookup the SCP connection in AD. You can configure a site scope to have client pull from the CAS in thier AD site (http://technet.microsoft.com/en-us/library/aa998575.aspx) however if this cannot be determined it will randomly pull that information. The AutoD lookup will look for the OA url that is in the AD site assocaited with the CAS/MBX for that site and return that information to the user.
For a non domain joined user a DNS record is used for Autodiscover.domain.com this will be based on the primary SMTP address of the users mailbox, so if the primary is xyz.com that the Outlook client will lookup autodiscover.xyz.com to populate the urls for a number of items like OA, offline address book, web services etc..
So in short, you can use site scopes for the clients that are domain joined and DNS for non domain joined or exernal users.. I wrote this blog back in 2007 that explain AutoD in more details (http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/ )
January 12th, 2012 at 10:31 pm
Arun,
I would need a bit more information than you have provided. What is you setup like, are you using a public cert or private cert.. have you looked at the fw on the CAS box ? Have you looked in the IIS logs for OA connections? Where did you get your cert.. etc
January 16th, 2012 at 9:41 am
hi, thanks very much for your response. I just checked the autodiscover sitescope for our CAS servers & the sitescope is already set to our AD sites for all our CAS servers & looks like no changes are required from autodiscover point of view.
Regarding Outlook anywhere, it is only enabled on couple of CAS servers which do not belong to our ADsite & all out workstations have outlook anywhere proxy URL form that CAS server. My question is if i enable outlook anywhere on one of my CAS server in my AD site I am assuming that the new outlook clients when running autodiscover for firsttime it will choose the new outlook anywhere URL i set for my CAS servers but how about the exsiting outlook clients which already has outlookanywhere URL from different site? how do i go about updating already existing outlook clients to choose the newly configured Outlook anywhere url i will be enabling on one of the cas server in my site?
January 17th, 2012 at 10:21 pm
So there is a fuzzy answer… In theory autodiscover should run and update the information however that does not seem to work properly and depends on what version of Outlook you are using and if you have the right fixes. An easy way to force the client would be to run a repair on the client which will force autod to run and should update the client with the correct info or you could just manually change the url. Neither of those are good answers but are valid ones.
January 18th, 2012 at 10:05 am
Hi,
Some very detailed and helpful information here, and I’m hoping you can assist me with a very frustrating problem I’m having.
I have a local domain with about 20 mail users. Windows Server 2008. Exchange 2007. Outlook users connect to exchange over the LAN no problem at all… Additionally, they can connect from home or outside the office using OLA with no issues. Everything appears to run just as it should.
Recently however, my organisation was purchased by a larger company. They have set up mail accounts for all the users, and have configured their OLA. I have tried this at home and was able to successfully connect using OLA.
For the users in my office i have tried everything I can think of to enable them to connect to the external domain. I have tried creating new outlook profiles etc, but the result is always the same. For domain users, when trying to configure an external OLA account, the server always seems to default to the local server, and not the remote server. This is driving me insane, so any assistance would be very helpful.
Jim
January 18th, 2012 at 8:54 pm
Jim… I want to validate I understand. You currently have a local exchange setup which hosts about 20 mailboxes and have merged with another company that also has Exchange. You now need to reconfigure the clients so thier OL profile point to the new setup? 1. is the email address the same or different for the external domain? 2. Are you removing your Exchange server? 3. Are you trying to have two profiles one to the local and one to the remote?