Configuring Outlook Anywhere Overview

Exchange 2003 and Outlook 2003 introduced a unique method for accessing Exchange server from both sides of the firewall securely without a VPN. RPC over HTTPS in Exchange 2007 and Outlook 2007 is now called simply Outlook Anywhere. Rather than opening up several RPC ports, RPC is tunneled through HTTP. With SSL, only port 443 needs to be available for Outlook Anywhere to work outside of the firewall. Outlook Anywhere requires Outlook 2007 or Outlook 2003 installed on Windows XP SP2 or Windows Server 2003. Outlook 2003 clients can use Outlook Anywhere as they did RPC over HTTPS, but they cannot take advantage of the Autodiscover Service and will need to be configured manually.

Outlook needs to trust the Certificate Authority (CA) issuing a valid SSL certificate. The SSL certificates used by Exchange for OWA and ActiveSync do not apply to Outlook Anywhere. You can either serve as your own CA or use a third party provider. After the SSL certificate is correctly installed, then the RPC over HTTP proxy component needs to be installed. On the Exchange Server, this is found under Add/Remove Programs in the Add/Remove Windows Components under the Networking Services heading. After that Windows component is installed, we still have to enable Outlook Anywhere on the Exchange Server.

Outlook Anywhere in Exchange 2007 is not enabled by default. The Outlook Anywhere wizard is run from an Exchange Server running the Client Access Server (CAS) role. From the Exchange Management Console (EMC), navigate to the Client Access node in the Server Configuration container. The right pane should have the option to ‘Enable Outlook Anywhere’. If it is already enabled, then the option will be to disable it. That opens the window shown in Figure 1.

We can configure basic or NTLM authentication here, and also allow SSL offloading. In addition, we need to assign an external name for the server. We can also use the Exchange Management Shell (EMS) to enable or disable Outlook Anywhere:

>Enable-OutlookAnywhere -SSLOffloading <$True|$False> -ExternalHostname <fqdn> -ExternalAuthenticationMethod: <Basic|NTLM>

Microsoft recommends using NTLM authentication over SSL provided by a third party certificate authority. The switch options are required. If the required options are not included, EMS will prompt for them. Figure 2 shows sample output of this cmdlet. In this output, SSLOffloading is set to True. This means that SSL encryption processes are being managed by a separate server or device and should be set to False if that is not the case.

The other cmdlets pertaining to Outlook Anywhere are:

Disable-OutlookAnywhere
Set-OutlookAnywhere
Get-OutlookAnywhere

Finally, the clients need to be able to find and access Outlook Anywhere. For Outlook 2007, the AutoDiscover service can assist when the services are configured to provide external URLs. When the external URLs are different from the internal ones, Microsoft recommends a certificate that allows for multiple hosts on the same certificate called a Subject Alternative Name Certificate. For the first Outlook Anywhere client, a manual configuration may ease troubleshooting, including SSL certificate issues. Outlook Anywhere is configured within the Account Settings for the Exchange account. Select the Exchange account in Tools -> Account Settings -> More Settings button. The bottom of the Connections tab presents the box to check for Outlook to use HTTP. The Exchange Proxy Settings button opens the window shown in Figure 3. Outlook 2003 will have to be configured manually as before, because it does not know about the Autodiscover service.

Summary

So to deploy Outlook Anywhere there are a few steps to walk through:

Install a valid SSL certificate from a CA Outlook can trust
Install the Windows RPC over HTTP proxy component from Network Components in Add/Remove Windows Components under Add/Remove Programs
Enable Outlook Anywhere using EMS or EMC on an Exchange 2007 server running the CAS role
Configuring Outlook clients to access Outlook Anywhere

In the 2007 versions, Outlook Anywhere, formerly RPC/HTTPS, is much simpler to deploy and configure.