Deploying Outlook Anywhere

Outlook Anywhere provides secure Internet-based access to Exchange Server. When you enable and configure this feature, users can use RPC over HTTP to connect to their Exchange mailboxes, eliminating the need for virtual private network (VPN) connections. As Outlook Anywhere uses the same URLs and namespaces that you use for Exchange ActiveSync and Outlook Web Access, there's no additional configuration required beyond the initial setup. Because RPC over HTTP is secure, unauthenticated requests from Outlook clients are blocked from accessing Exchange Server.

You can deploy Outlook Anywhere by performing the following procedures:

1. Install a valid SSL certificate on the Exchange Server.

2. Install RPC Over HTTP Proxy Windows networking.

3. Enable Outlook Anywhere.

These procedures are discussed in the sections that follow.

Installing an SSL Certificate on the Exchange Server

For Outlook Anywhere to work, a default SSL certificate is created for Exchange Server during installation of a Client Access server. If you don't want to use the default SSL certificate, you can use another one, such as one issued by your organization's certificate authority (CA) or a third-party certificate service. The first time users access Exchange Server using Outlook Web Access, they'll be prompted to trust the server certificate. They must click Yes.

Because Outlook requests use HTTP over SSL, you must allow port 443 through your firewall. If you already use Outlook Web Access with SSL or Exchange ActiveSync with SSL, port 443 should already be open and you do not have to open any additional ports.

Installing the RPC Over HTTP Proxy

For Outlook Anywhere to work, you should install the RPC Over HTTP Proxy Windows networking component on the Exchange Server during installation of a Client Access server. If, for some reason, this component was not installed, uninstalled, or becomes corrupted, you must reinstall it. With Windows Server 2003, you install this component by completing the following steps:

1. In Control Panel, select Add Or Remove Programs.

2. In Add Or Remove Programs, click Add/Remove Windows Components.

3. In the Windows Components Wizard, select Networking Services, and then click Details. Be careful not to clear the Networking Services check box.

4. In the Networking Services dialog box, select the RPC Over HTTP Proxy check box, and then click OK.

5. Click Next to let the wizard start configuring components.

6. When prompted, insert the Windows Server 2003 CD into the appropriate CD-ROM drive, and then click OK.

7. Click Finish.

Determining Whether Outlook Anywhere is Enabled

In Exchange Management Console, you can determine whether Outlook Anywhere is enabled by expanding the Server Configuration node and then selecting the Client Access node. In the upper portion of the details pane, Client Access servers are listed by name, role, Exchange version, and Outlook Anywhere Enabled status.

You can use the Get-OutlookAnywhere cmdlet to list similar information about Outlook Anywhere for all Client Access servers in your organization. If you use the –Server parameter, you can limit the results to a specific server. If you use the –Identity parameter, you can examine a particular virtual directory on a server. Sample 16-1 provides the syntax, usage, and sample output.

Sample 16-1: Get-OutlookAnywhere cmdlet syntax and usage

 Syntax Get-OutlookAnywhere [-Server 'ServerName']  [-Identity 'VirtualDirectoryIdentity'] Usage Get-OutlookAnywhere Get-OutlookAnywhere -Server 'CorpSvr127' Get-OutlookAnywhere -Identity 'CorpSvr127\Rpc (Default Web Site)' Output SSLOffloading                : False ExternalHostname             : http://mail.cpandl.com ExternalAuthenticationMethod : Basic MetabasePath                 : IIS://CORPSVR127/W3SVC/1/ROOT/Rpc Path                         : C:\WINDOWS\System32\RpcProxy Server                       : CORPSVR127 AdminDisplayName             : ObjectCategoryName           : msExchRpcHttpVirtualDirectory ExchangeVersion              : 0.1 (8.0.935.0) CurrentObjectVersion : 0.1 (8.0.935.0) Name                         : Rpc (Default Web Site) Identity                     : CORPSVR127\Rpc (Default Web Site) Guid :  ObjectCategory :http://cpandl.com/Configuration/Schema/ms-Exch-Rpc-Http- Virtual-                Directory ObjectClass                  : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory} OriginalId                   : CORPSVR127\Rpc (Default Web Site) WhenChanged                  : 10/24/2006 3:30:19 PM WhenCreated                  : 10/24/2006 3:30:19 PM ObjectState                  : Unchanged OriginatingServer            : http://corpsvr127.cpandl.com IsReadOnly                   : False Id                           : CORPSVR127\Rpc (Default Web Site) IsValid                      : True 

Enabling and Modifying Outlook Anywhere

You can deploy Outlook Anywhere by enabling the feature on at least one Client Access server in each site of your Exchange organization. To enable Outlook Anywhere, complete the following steps:

1. In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.

2. In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Right-click the server on which you want to enable Outlook Anywhere, and select Enable Outlook Anywhere.

3. In the Enable Outlook Anywhere wizard, type the external host name for the Client Access server, such as http://mailer1.cpandl.com.

4. Select an available external authentication method. You can select Basic Authentication or NTLM Authentication. NT LAN Manager (NTLM) authentication is more secure than basic authentication.

5. Only select the Allow Secure Channel (SSL) Offloading check box if you have configured an advanced firewall server, such as Microsoft Internet Acceleration and Security (ISA) Server 2006 to work with Exchange 2007 and handle your SSL processing.

6. Click Enable to apply your settings and enable Outlook Anywhere, and then click Finish.

In Exchange Management Shell, you can enable Outlook Anywhere using the Enable-OutlookAnywhere cmdlet. Sample 16-2 provides the syntax and usage.

Sample 16-2: Enable-OutlookAnywhere cmdlet syntax and usage

 Syntax Enable-OutlookAnywhere -Server 'ServerName'  -ExternalHostName 'ExternalHostName'  -ExternalAuthenticationMethod <'Basic' | 'NTLM'>  -SSLOffloading <$true|$false> Usage Enable-OutlookAnywhere -Server 'CAServer21'  -ExternalHostName 'http://mailer1.cpandl.com'  -ExternalAuthenticationMethod 'Basic'  -SSLOffloading $false 

If you want to modify the Outlook Anywhere configuration, you can use the Set-OutlookAnywhere cmdlet to do this. Sample 16-3 provides the syntax and usage.

Sample 16-3: Set-OutlookAnywhere cmdlet syntax and usage

 Syntax Set-OutlookAnywhere -Identity 'VirtualDirectoryIdentity'  [-ExternalHostName 'ExternalHostName']  [-ExternalAuthenticationMethod <'Basic' | 'NTLM'>]  [-SSLOffloading <$true|$false>] Usage Set-OutlookAnywhere -Identity 'CorpSvr127\Rpc (Default Web Site)'  -ExternalHostName 'http://mailer1.cpandl.com'  -ExternalAuthenticationMethod 'NTLM'  -SSLOffloading $true 

Disabling Outlook Anywhere

If you no longer want a particular Client Access server to allow Outlook clients to use Outlook Anywhere, you can disable this feature by completing the following steps:

1. In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.

2. In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Right-click the server on which you want to enable Outlook Anywhere, and select Disable Outlook Anywhere.

3. When prompted to confirm, click Yes.

In Exchange Management Shell, you can disable Outlook Anywhere using the Disable-OutlookAnywhere cmdlet. Sample 16-4 provides the syntax and usage.

Sample 16-4: Disable-OutlookAnywhere cmdlet syntax and usage

 Syntax Disable-OutlookAnywhere -Server 'ServerName' Usage Disable-OutlookAnywhere -Server 'CAServer21'