|
|
Outlook Anywhere is the new name for RPC over HTTP. Wrapping all the RPC traffic that Outlook requires in to a single HTTP traffic stream allows Outlook to connect to your Exchange server over the Internet, through your own firewall and any firewall on the client side, without having to open a large number of ports.
Ideally deployed with an SSL certificate, you only have to open a single port, 443. If you have deployed an SSL certificate to secure OWA and Exchange ActiveSync, you can use the same certificate for Outlook Anywhere.
With careful network configuration using a split DNS system, you can also use Outlook Anywhere inside your own firewall, allowing mobile clients to come and go from your network without having to reconfigure their machines. When successfully deployed, it should be totally transparent to the end user.
To use Outlook Anywhere, the client OS needs to be Windows XP Service Pack 2 or higher with Outlook 2003 or later installed. As with Outlook Web Access, Outlook Anywhere requires a server with the Client Access role installed.
Tip | When setting up Outlook Anywhere for the first time, if possible, configure your network so that the name on your SSL certificate works both inside and outside the firewall. Then get everything to work inside first. This ensures that any firewall problems are not causing a connection failure. |
Split DNS (aka Split Brain DNS) describes a configuration in which you have two DNS servers that deliver different results to a DNS query, depending on which server is used. You can use Split DNS to deploy a single name for Outlook Anywhere, Outlook Web Access, or any other web service that is accessible both internally and externally. Setting up a Split DNS system is very simple, but it does take some care:
Establish what services are being accessed externally using your external domain name. This will probably include your website and possibly an FTP site. If you have access to the domain name DNS records, take a look at what hosts are configured for your domain name. Make a note of any that are not configured to point to resources that are inside your network.
Create a new DNS zone on your internal DNS servers with a name that matches your external DNS domain name. You may already have one if your Active Directory domain uses your external domain name. In this new zone, add your external host with their external IP addresses.
Add your internal hosts to the DNS zone.
Once the zone has been set up, replicate it to other internal DNS zones. To test, drop in to a command prompt. If you ping www.yourdomain.com (where yourdomain is the external domain name), then you should get a response back from the external IP address where your website is hosted.
If you ping mail.yourdomain.com (where mail.yourdomain.com is an internal host - the Exchange server for example), you should get a response back from the Exchange server's internal IP address.
Any failures, such as the wrong IP address or unknown host errors, mean that the DNS zone isn't set correctly.
Note | Outlook Anywhere should be run over an SSL-secured connection. This ensures that the username and password information passes over the Internet encrypted. Although the dialog boxes in Outlook make it seem that you can run the feature without SSL, in practice, trying to get it to run without SSL is complex. |
Configuration of Outlook Anywhere is quite straightforward, which is a nice change from how it was configured in Exchange 2003, which required a number of Registry changes to the Exchange server and domain controller if you were not using a front-end/back-end scenario. It is enabled on a per-server basis.
Step 1: SSL certificate considerations We discuss SSL certificate use in Chapter 20, "Securing Exchange Server." However, remember that for this feature to work correctly, the certificate needs to be trusted by the client. Outlook cannot cope with any SSL certificate prompts.
Step 2: Install the RPC Proxy component Before you make any changes to Exchange, the RPC Proxy component needs to be installed. You will find this in Add/Remove Programs, Add/Remove Windows Components. The option is under Network Components. After the component is installed, a reboot should not be required.
Step 3: Enabling Outlook Anywhere on Exchange Server As with all components in Exchange 2007, you can enable the Outlook Anywhere option using the Exchange Management Console or the Management Shell.
To configure Outlook Anywhere using the EMS, use a command similar to this one:
Enable-OutlookAnywhere -Server:'ServerName' -ExternalHostName:'ExternalHostName'-ExternalAuthenticationMethod:'Basic' -SSLOffloading:$false
In this command, ServerName is the real name of the server and ExternalHostName is the name by which the server is known on the Internet and the name used in your SSL certificate. For example, if your server is known as exchange01 and the certificate is in the name of mail.domain.com, then the command would be as follows:
Enable-OutlookAnywhere -Server:'exchange01' -ExternalHostName:'mail.domain.com' -ExternalAuthenticationMethod:'Basic' -SSLOffloading:$false
Note | External authentication allows you to adjust the authentication type that is supported by the server. In a change from Exchange 2003, you can use either basic or integrated, but not both. |
Warning | SSL offloading is a process where the SSL certificate is held elsewhere - for example, on another proxy server or appliance. If you do not have SSL managed elsewhere, then having this option enabled will cause the feature to fail to work correctly. |
If you want to configure Outlook Anywhere using the Exchange Management Console, follow these steps:
First, open the console, expand Server Configuration work center, and open the Client Access subcontainer.
Select the server on which you want to enable Outlook Anywhere. In the Actions pane on the right, select Enable Outlook Anywhere.
The Enable Outlook Anywhere Wizard (shown in Figure 19.13) appears. Enter the external name that the clients will be using to access the server - this should match your SSL certificate. Select your authentication method. We suggest starting with Basic.
Once configured, the options for Outlook Anywhere can be changed by selecting the server under Client Access and choosing Properties. An additional tab will be seen for Outlook Anywhere configuration (shown in Figure 19.14).
Figure 19.13: Enabling Outlook Anywhere using the Exchange Management Console
Figure 19.14: Modifying the Outlook Anywhere configuration
On Outlook 2007, you can configure Outlook Anywhere via the Autodiscover service or manually. You must configure Outlook 2003 manually. Older versions of Outlook do not support Outlook Anywhere.
In all cases, you must have Outlook installed on Windows XP Service Pack 2 or higher. It can be any version of Windows XP, including Home and Media Center. For Vista, any version may be used, not just the business editions.
Where the host machine is not a member of the domain or forest that Exchange is installed in, you will need to take extra care with configuring the client.
You can carry out automatic configuration of Outlook Anywhere by using the Autodiscover service of Exchange 2007, which is available only with Outlook 2007. If you are using Outlook 2003, then you will need to manually configure the client.
However, if this is your first time with Outlook Anywhere, you should manually configure it to begin with, and then move to Autodiscover configuration once you have a working deployment. We discuss Autodiscover setup and configuration in Chapter 17, "Supporting Outlook 2007."
Tip | Test the SSL certificate before you try configuring any Outlook client. Open Internet Explorer, and browse to https://mail.domain.com/rpc (where mail.domain.com is the name on your SSL certificate). If you get an SSL certificate prompt, then the client will fail to connect correctly. Outlook cannot cope with any SSL certificate prompts. |
If you just enabled Outlook Anywhere, we recommend that you carry out your initial testing and configuration of the client manually. This will allow you to troubleshoot the process and configuration. Once it is working correctly, you can use the settings with Autodiscover for Outlook 2007. Outlook 2003 users will need to use the manual setup process, which we will now describe. If you have configured Outlook 2003 to use RPC over HTTP with Exchange 2003 in the past, you'll see that the process is identical. Outlook 2007 changes some of the labels.
Carry out your first configuration inside the network using a machine that is part of the domain. By doing the initial setup inside, you can be sure that everything is working correctly. Once you have a working connection, you can move outside of your LAN and then your domain to confirm connectivity. Follow these steps:
Configure Outlook in the usual way, and confirm that it is connecting to the Exchange server correctly.
Open the property page for the account. This varies with the version of Outlook. In Outlook 2003, choose Tools Ø Email Accounts Ø View or Change Existing E-mail Accounts, and then click Next. Choose Change to access the account settings.
In Outlook 2007, choose Tools Ø Account Settings, and on the E-mail tab select the Exchange account. Then choose Change.
Click the More Settings button, which is in the lower-right corner. Click the Connection tab.
Enable the option Connect to Microsoft Exchange using HTTP, which is under Outlook Anywhere (Outlook 2007) or Exchange over the Internet (Outlook 2003). Then click the Exchange Proxy Settings button.
Complete the boxes to match your environment. You use only the hostname when entering addresses; no directory name is required.
The first box, Use This URL to Connect to My Proxy Server for Exchange, should match the name on your SSL certificate.
Enable both Connect Using SSL Only and Only Connect to Proxy Servers That Have This Principal Name in Their Certificate (Outlook 2007) or Mutually Authenticate the Session When Connecting with SSL (Outlook 2003).
When it comes to the speed options, we find that you need to have both enabled for the feature to work reliably when the client machine is off site. Although in theory Outlook should be able to detect the speed of the connection to the server, with the growth of home networks, it gets easily confused and attempts to make a conventional TCP/IP connection to the Exchange server when that isn't possible. By forcing the connection to always use HTTP that is adverted. That does mean you need to ensure that the name entered under Use This URL to Connect to My Proxy Server for Exchange: box correctly resolves inside your network as well as outside.
Finally, set the authentication settings to match what you set on the Exchange server when enabling Outlook Anywhere.
Click Apply and OK to get out of each box, and restart Outlook.
You can confirm whether Outlook is making a connection to the Exchange server using HTTPS in one of two ways:
Close Outlook completely; consider using Task Manager to ensure that it has closed because it isn't unusual for another application to keep the application running. Then choose Start Ø Run, type outlook.exe /rpcdiag, and press Enter. Outlook will start normally, but it will also include an additional diagnostics box. This will show the connection method being used. All connections should show HTTPS.
The diagnostics box can also be started once Outlook is running. While holding down the Ctrl key, right-click the Outlook icon in the system tray next to your clock. On the menu, you will see an additional item, Connection Status. Select that and the diagnostics box will open.
That Connection Status box is also useful if you are troubleshooting a conventional TCP/IP Outlook connection because it can show you which domain controller Outlook is connecting to.
Outlook Anywhere makes it possible for a client machine that is not part of your Windows domain to connect to Exchange and have the full feature set of an Exchange client available to them. This is what hosted Exchange companies do.
However, if Outlook is not on the same network as the Exchange server, getting it to use Outlook Anywhere can be a little fiddly. Ideally, your clients should be using Outlook 2007 because this allows you to use the Autodiscover service to configure Outlook automatically. However, if your end users are using Outlook 2003 as a client, then manual configuration is the only option.
Before you begin, make sure that the feature is working internally with a domain member by following the instructions earlier in this chapter for configuring a client on the domain and network. If you have not verified that the feature is working beforehand, then troubleshooting any problems becomes a lot more difficult.
The configuration process for machines that are outside of the firewall is almost identical to the process for those that are inside:
Configure Outlook as you would ordinarily, including entering the Exchange server's real name, not the external name from the certificate. However, do not click the Check Name button because the name check process will fail. Instead, click More Settings. You will get a prompt about the Exchange server being unavailable. Accept that. Then you will see another box prompting you to check the name again. Click Cancel to clear that message. That should open the More Settings dialog box. Click the Connection tab.
This stage is identical to being on the LAN. Enable the option Connect to Microsoft Exchange using HTTP, which is under Outlook Anywhere (Outlook 2007) or Exchange over the Internet (Outlook 2003). Then click the Exchange Proxy Settings button.
Again, fill in the boxes to match your environment. In this case, the speed options don't really apply because you want to always use HTTP, so enable both options. With the authentication, choose the same one you selected when enabling the service on the Exchange server.
After configuring the settings, click OK or Apply to close the windows until you get back to the Check Name dialog box. Click Check Name. Outlook will now prompt you for credentials. Enter the credentials in the format of domain\username and then the password.
For example, if your domain name was e2007 and your username was bob.smith, you would enter e2007\bob.smith. Don't bother with the Remember My Password option at this time. Once authentication is successful, the server name and username should be underlined. Click Next and Finish to close the Account Setup Wizard.
You can now start Outlook as usual. Because the computer is not a member of the domain, you will need to authenticate to the domain that Exchange is located in, so you will get a username and password prompt. This will happen each time Outlook is started and cannot be avoided.
For password maintenance of end users connecting to Exchange in this way, suggest that they change their password through Outlook Web Access.
After ensuring that Outlook Anywhere is working correctly, you need to ensure that the relevant port is open on your firewall. If you are using SSL, then only port 443 is required - no other special changes are required.
Refer to Chapter 20, "Securing Exchange Server," for full information on setting your firewall to work with Outlook Anywhere and other Exchange features.
|
|