Microsoft Outlook is the email client application
that was designed with Exchange in mind. In the most common
implementations of Exchange, end users will be accessing their mailboxes
with Outlook. Therefore, it's important to ensure that email access
through the Outlook client is easy to set up and use. This section shows
you how to accomplish some of the common tasks related to managing
client access through the Outlook application and through third-party
applications.
1. Configure Outlook Anywhere
When an Outlook client is on
the same network as the Exchange server, the client can connect to the
server using the MAPI protocol through a RPC connection. RPC uses a
service called an endpoint mapper. The job of the endpoint mapper is to
determine which port both endpoints of the RPC connection will talk on.
RPC requires that ports 1024 through 65535 be accessible because the
endpoint mapper will dynamically select one of those ports to use. Few
organizations will allow this port range to be exposed to the Internet,
so users can't connect Outlook from outside the network to their
Exchange mailboxes over RPC unless they use a VPN tunnel.
Outlook Anywhere solves
this problem by encapsulating the RPC traffic into HTTPS communications.
Because Outlook Anywhere wraps RPC inside HTTPS, the data is
transferred as HTTPS traffic and can easily traverse firewalls without
opening up a wide port range. If users can get to a secure website, they
can get to their email using Outlook.
1.1. Enable Outlook Anywhere
Outlook Anywhere is not
enabled by default. If you decide to use it, you will need to enable it
on one or more Client Access servers. When you enable Outlook Anywhere,
you must specify an external hostname that clients will use to connect
to their mailboxes.
1.1.1. Configure Outlook Anywhere in the Exchange Management Console
To configure Outlook Anywhere in the EMC:
Open the EMC and browse to the Server Configuration => Client Access node in the Console tree.
Select
the Client Access server for which you want to enable Outlook Anywhere,
and click the option Enable Outlook Anywhere in the Actions pane.
In
the Enable Outlook Anywhere configuration screen, enter the external
hostname that users will use to connect to their mailboxes through the
Outlook client.
This
hostname needs to resolve to the Client Access servers in DNS and have a
valid certificate associated with it.
Click the Enable button to enable Outlook Anywhere.
In the Completion screen, click the Finish button.
The configuration of Outlook Anywhere can take up to 15 minutes to take effect.
To determine if it is enabled, open the Application event log by clicking Start => Administrative Tools => Event Viewer.
In the Console tree inside Event Viewer, browse to Windows Logs => Application.
In the Results pane, look for the Information event with Event ID 3006 with the source of the event MSExchange RPC Over HTTP Autoconfig. This signifies that Outlook Anywhere installed successfully.
1.1.2. Enable Outlook Anywhere Using the Exchange Management Shell
To enable Outlook Anywhere using the EMS, you can run the Enable-OutlookAnywhere
command. When you run the command, you should specify the
authentication method, the name that users will use to connect their
Outlook clients from outside your network, and whether or not you'll use
SSL offloading.
Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic
-ExternalHostname:mail.contoso.com -SSLOffloading:$false
1.2. Configure SSL Offloading
When using Outlook
Anywhere, the HTTPS connections are secured using a Secure Sockets Layer
(SSL) connection. This ensures that any data that is passed back and
forth from the client to the server is encrypted, to prevent other
people from viewing the data or modifying it. To secure this connection
with SSL, the CAS uses an existing certificate.
The work that the CAS performs
to encrypt and decrypt the SSL communications can place an additional
load and burden on the server. Therefore, Exchange has the ability to
offload SSL. When SSL is offloaded, the CAS allows another system that
it trusts, such as a firewall, to do the encryption and decryption.
Instead of the client talking directly to the CAS, the client now has a
secured connection to the firewall, and the firewall has an unsecured
connection to the CAS.
1.2.1. Enable SSL Offloading Using the Exchange Management Console
You can use the following steps to enable SSL offloading in the EMC:
Open the EMC and browse to the Server Configuration => Client Access node in the Console tree.
In the list of Client Access servers presented in the Results pane, click the CAS that you want to enable SSL offloading on.
Click the Properties option in the Actions pane to bring up the properties dialog box for the CAS.
In the properties dialog box, click the Outlook Anywhere tab.
Place a check mark beside the option Allow Secure Channel (SSL) Offloading.
Click OK to close the properties dialog box and make the changes.
1.2.2. Modify SSL Offloading Using the Exchange Management Shell
You can modify the SSL offloading setting in the EMS using the Set-OutlookAnywhere command. When you run the command, specify the SSLOffloading parameter and set it to $true, as shown here:
Set-OutlookAnywhere -Identity
"CONTOSO-EX1\Rpc (Default Web Site)"-SSLOffloading $true
1.3. Modify the Authentication Method
The authentication
method used in Outlook Anywhere determines how users present their
username and password to the server. There are two authentication
options that you can use for Outlook Anywhere:
Basic authentication
NTLM authentication
When Basic authentication is
used, the user is prompted by the Outlook client for the username and
password that it needs to connect to Exchange. Both the username and the
password are sent to the server to valididate the credentials of the
user. Although the connection is secured with SSL, it's not generally a
good idea to send a password over the Internet. Therefore, I recommended
that you use NTLM authentication if possible.
NT LAN Manager
(NTLM) authentication does not send the password over the Internet.
Instead, NTLM sends a hashed value of the user's credentials. This means
that the credentials are never sent over the Internet, making the
connection more secure. If the client computer is a member of the forest
that Exchange is in, and if the user is logged in with their domain
account (a common scenario when users have company-owned laptops), NTLM
authentication can use the current credentials of the user and does not
need to prompt the user for their username or password. This provides
another advantage over Basic authentication. However, NTLM
authentication may not work through every firewall.
1.3.1. Configure the Authentication Method Using the Exchange Management Console
You can use the EMC to configure the authentication method using the following steps:
Open the EMC and browse to the Server Configuration => Client Access node in the Console tree.
In
the list of Client Access servers presented in the Results pane, click
the CAS that you want to set the authentication method on.
Click the Properties option in the Actions pane to bring up the properties dialog box for the CAS.
In the properties dialog box, click the Outlook Anywhere tab.
In the Client Authentication Method section, select either Basic Authentication or NTLM Authentication.
Click OK to close the properties dialog box and make the changes.
1.3.2. Configure the Authentication Method Using the Exchange Management Shell
You can set the authentication method with the EMS using the Set-OutlookAnywhere command. When you use this command, you will specify the DefaultAuthenticationMethod
parameter and specify either NTLM or Basic as its value. The following
example turns on NTLM authentication for Outlook Anywhere.
Set-OutlookAnywhere "CONTOSO-EX1\Rpc (Default Web Site)"
-DefaultAuthenticationMethod NTLM
