Configuring Outlook Anywhere for Exchange 2007 SP1

Exchange 2007 has rebranded rpc/https which is now called Outlook Anywhere and has even made some slight modification from RTM to Exchange 2007 SP1. +

When utlizing Outlook 2007 the autodiscover service is heavily tied into Outlook anywhere functionality, I am going to reference a previous posting that explains those functions in detail.

With Exchange 2007 in order to allow clients remote access to the mail system you will need to install an Exchange 2007 CAS server which will allow clients to access thier mail via Imap,Pop,OWA,Active Sync, and Rpc/https (outlook anywhere).

For this article I am going to skip the installation of each server role and just work with the configuration. The lab consists of 1 DC, 1 CAS/Hub and 1 MBX server running Windows 2003 and Exchange 2007 SP1.

Rpc/http was first introduced with Exchange 2003 and has been renamed with Exchange 2007 to Outlook Anywhere. In order to use this functionality with Exchange we must install the RPC over HTTP Proxy networking component on a server (recommened on your Exchange server).

What does this network componet do for us?
RpcProxy.dll is an Internet Server API (ISAPI) that runs in Internet Information Services (IIS). RpcProxy.dll listens for activity on the RPC virtual directory

The rpcproxy.dll requires authentication and will not pass anonymous request even if IIS is configured for anonymous authentication.

When an Outlook clients typicaly communicates with an Exchange server the client attempts to connect via Mapi Rpc, with Rpc/http Outlook makes a http connection to the rpc proxy server which strips the http and send the rpc request to tha appropriate Exchange server.

Installing Rpc/http networking componet:
1. From the Add/Remove programs select Windows components
2. Select Networking Services then details

3. Select Rpc over http proxy -> OK

4. Click Next to start the installation
5. Click Finish to complete the installation

How do we verify the installation?
1. Validate you have 2 virtual directories installed called RPC and RPC with Cert
The 2 new virtual directories points to C:\WINDOWS\System32\RpcProxy which is the location of the rpcproxy.dll

2. Verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)

Later we will look at a tool called rpc dump that can be used to troubleshoot connectivity problems.

After we have installed our CAS server we need to enable Outlook Anywhere which can be done in 1 of two ways, 1. EMS (command line) or 2. EMC (gui)

1. EMS
To work with Outlook anywhere via EMS we would use the the following set of commands Get-OutlookAnywhere,Set-OutlookAnywhere,Enable-OutlookAnywhere.

A. Open EMS
B. Now we will use the Enable-OutlookAnywhere command to enable this feature
–The following switches are available for the command
** Pre SP1
Enable-OutlookAnywhere -DefaultAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-Server ] [-TemplateInstance ] [-WhatIf []]
** Post SP1
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ][-WhatIf []]

For this demo I used the following command
[PS] C:\>Enable-OutlookAnywhere -Server vmcashub -SSLOffloading:$false -ExternalHostname -ClientAuthenticationMethod basic -IISAuthenticationMethods basic

*Note if you use the defaultauthenticationmethod is will override the clientauth and IISAuth **
*Setting the ClientAuthMethod is what autodiscover will user to configure the client*


We can ouse the Get-OutlookAnywhere command to view our configuration

Once we have enable Outlook Anywhere any future modification will be done with the Set-OutlookAnywhere command (i.e. changing authentication)

2. EMC
a. Open EMC –> Server configuration –> client Access Server
b. Select the CAS server you want to enable
c. Click the button to Enable Outlook Anywhere

d. Enter the External name that clients will use to connect to your Exchange Server, note this name should match the name on your certificate. Select the authentication method of choice

e. On the Completion Wizard Click finish

As you saw there is very little configuration when enabling Outlook Anywhere we have 3 options
1. Url 2. authentication and 3. Enable SSL offloading

Once we have Enabled Outlook Anywhere we can validate the registry key has configured correct ports for communication to our mailbox servers. Note only the name listed in the key can be used by clients to connect and you will notice there is no IP address listed so testing via IP will fail through the rpc proxy.

1. Click start Run
2. Regedit – this will open the registry editor
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
4. Notice the Dword called Enabled set to 1
5. There is a String value called “ValidPorts”


**Note if the port are not listed it could take up to 15 minutes to update or you can restart the Microsoft Exchange Service Host **
we can see that the rpc proxy connects to our mailbox server on the following port 6001-6002 and 6004. Each port is defined below

Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004

In our client testing we can validate the proxy making connections to our mailbox server with these ports.

Configure a client:
1. Create a New profile
2. check the manually configure box at the bottom

3. Select Microsoft Exchange

4. Input your mailbox server name (this could be FQDN or Netbios Name)

5. Click the “More settings” button

6. Select the connections tab

7. Check the box “Connect to Microsoft Exchange using HTTP” -> Exchange Proxy Settings

8. Input the url of your Outlook Anywhere server, check the appropriate authentication

9. Click OK and finish the profile
2. Autodiscover
** if autodiscover is not working please refer to my blog on autodiscover **

1. Click Add

2. Give a name for the profile

3. Input the display name and users email address and password
**Note a domain logged on user will auto populate the information**

5. Logon to your mailbox

6. Click Finish

That we have installed all the components we need to do some testing to validate we have access to our mail.

Check Outlook connection status:
1. Log onto Outlook
2. in the System tray hold the CTRL key and right click the Outlook icon
3. select connection status

You can see our connection shows https, which validates we are going through the CAS server and proxying our connection.

We can use netstat to show our connection for each hop Client-> CAS -> Mbx -> DC

Open a command windows on the CAS server and type netstat -na

You can see from the screen shot above that our client is making connections are port 443 to our CAS server

As noted in the connections window from Outlook you can see that the Outlook client makes multiple connections to the CAS server on port 443 and this is validated in the netstat

On the mailbox server open a command window and type Netstat -na

The first item to note is our mailbox server listening on ports 6001,6002, and 6004 which is the ports used by rpc/http to make connections

Below you can see our mbx server receiving connections on port 6001 and 6004 from our CAS server

On our domain controller we can see Ldap 389 and GC 3268 ports with connections from both our CAS server and MBX server.

Packet Captures:
We can use a tool like NetMon or WireShark to perform network captures on each hop as well to validate our traffic between each node. We must note this is encrypted traffic so we will only see sessions between the nodes

This capture is run on the XP client and we can see TLS communication between our client and our CAS

This capture show communication from the CAS 192.168.101 to the mailbox server on port 6001/6004

See the highlighted section showing a destination port 6001 from the CAS to the MBX server

See the highlighted section showing a destination port 6004 from the CAS to the MBX server

Mailbox Server -> DC/GC
Below we can see our mailbox server making connections to the DC Ldap port 389


RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.

You can use this MS article to assist with this utility

1. Open a command line to the resource kit directory

2. Lets connect to port 6001 =store

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6001 -u 10 -a connect

You can see we make a successful connection

3. Lets connect to port 6004 =DsProxy

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6004 -u 10 -a connect

You can see we make a successful connection

These tests show us that we are properly connecting through the rpc proxy server to the correct ports associated with Outlook Anywhere.

reference the above MS article for a break down of the switches.

Windows 2008 has added some additional perf counters that we can use with Rpc/Proxy that can assist in identifying connectivity and user load.

common issues:
1. Certificates – If the client machine does not trust the certificate that is being presented it will fail to connect. So if you are using self signed or self issued certificates you will need to deploy them to each client machine

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s