EDIT 8/22/2008: Corrected a typo in a "DisabledComponents" registry key name.
It's been a while since I've been thinking of writing a blog post about various aspects of Outlook Anywhere that people...
Updated Jul 01, 2019
Version 2.0
Blog Post
I've been trying to get this working on our new E2K7 server for about a week and finally got it up and running with a WildCard Cert containing the SAN names for all possible iterations of connecting to my Exchange server... i.e. mail.domain.com, mail2.domain.com, mail3.domain.com, webmail.domain.com, netbiosname.domain.com, netbiosname, autodiscover.domain.com
I found this site to be very helpful in leading me down a path that proved successful. http://exchange-genie.blogspot.com/2008/02/configuring-outlook-anywhere-for.html
Brief description of my setup:
Windows Server 2003 R2 Win64
Exchange 2007 SP1+RU2
Clients are a mix of Outlook 2003 and 2007
1. Bought the wildcard cert/also named a UC cert from Digicert.com <-Best company I've ever dealt with on cert purchases!
2. Installed the cert using the cert MMC.
3. Enabled the cert on all services using the Enable-ExchangeCertificate command in the EMS
4. Configured each service in the EMC to reflect the SAN name contained in the cert.
NOTE A: Since POP3 and IMAP will set the certificate to *.domain.com when you enable it in Step 2 - Changing this to mail.domain.com or whatever sub-domain you are using works fine as long as the SAN name was included in the cert installed in Step 1
NOTE B: I set the internal and external names for each service to my external name. Don't forget to add an 'A Record' to your DNS server for the sub-domain to point to your internal Exchange server IP
5. In IIS I configured OAB 'Security Tab' to the following: Integrated Windows Authentication checked / Basic Authentication checked / Default Domain and Realm selected.
6. In IIS I configured RPC 'Security Tab' to the following: Intergrated Windows Authentication checked.
7. In the EMC - Server Configuration > Client Access > Enable Outlook Anywhere. Entered the sub-domain you intend to use and that it is included in the SAN names contained within the cert. Selected SSL offloading - Click OK.
8. After waiting the 15 minutes for it to propagate the changes or restarting the Exchange Service Host, you can verify that your changes worked by running this command in the EMS - Get-OutlookAnywhere and you should see something similar to the following:
ServerName : ServerNetBIOSName
SSLOffloading : True
ExternalHostname : mail.domain.com
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
9. In Outlook I configured Email accounts>Exchange Server Settings>Microsoft Exchange Server>
*Security Tab: Logon network security=Password Authentication(NTLM)
*Connection Tab: Exchange over the Internet>Connect to my Exchange mailbox using HTTP>Exchange Proxy Settings
-sub.domain.com
-Enable Connect using SSL only
-Fast and Slow networks Enabled
-Proxy authentication settings:NTLM
After starting outlook I'm no longer prompted for authentication and can verify I'm connected via HTTPS by holding CTRL and right clicking on the Outlook icon in the system try and then selecting Connection Status.
Hope this helps someone and if you have any questions or comments feel free to reply.
I found this site to be very helpful in leading me down a path that proved successful. http://exchange-genie.blogspot.com/2008/02/configuring-outlook-anywhere-for.html
Brief description of my setup:
Windows Server 2003 R2 Win64
Exchange 2007 SP1+RU2
Clients are a mix of Outlook 2003 and 2007
1. Bought the wildcard cert/also named a UC cert from Digicert.com <-Best company I've ever dealt with on cert purchases!
2. Installed the cert using the cert MMC.
3. Enabled the cert on all services using the Enable-ExchangeCertificate command in the EMS
4. Configured each service in the EMC to reflect the SAN name contained in the cert.
NOTE A: Since POP3 and IMAP will set the certificate to *.domain.com when you enable it in Step 2 - Changing this to mail.domain.com or whatever sub-domain you are using works fine as long as the SAN name was included in the cert installed in Step 1
NOTE B: I set the internal and external names for each service to my external name. Don't forget to add an 'A Record' to your DNS server for the sub-domain to point to your internal Exchange server IP
5. In IIS I configured OAB 'Security Tab' to the following: Integrated Windows Authentication checked / Basic Authentication checked / Default Domain and Realm selected.
6. In IIS I configured RPC 'Security Tab' to the following: Intergrated Windows Authentication checked.
7. In the EMC - Server Configuration > Client Access > Enable Outlook Anywhere. Entered the sub-domain you intend to use and that it is included in the SAN names contained within the cert. Selected SSL offloading - Click OK.
8. After waiting the 15 minutes for it to propagate the changes or restarting the Exchange Service Host, you can verify that your changes worked by running this command in the EMS - Get-OutlookAnywhere and you should see something similar to the following:
ServerName : ServerNetBIOSName
SSLOffloading : True
ExternalHostname : mail.domain.com
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
9. In Outlook I configured Email accounts>Exchange Server Settings>Microsoft Exchange Server>
*Security Tab: Logon network security=Password Authentication(NTLM)
*Connection Tab: Exchange over the Internet>Connect to my Exchange mailbox using HTTP>Exchange Proxy Settings
-sub.domain.com
-Enable Connect using SSL only
-Fast and Slow networks Enabled
-Proxy authentication settings:NTLM
After starting outlook I'm no longer prompted for authentication and can verify I'm connected via HTTPS by holding CTRL and right clicking on the Outlook icon in the system try and then selecting Connection Status.
Hope this helps someone and if you have any questions or comments feel free to reply.