Exchange 2019: Presenting Outlook Anywhere With WAP

KB ID 0001548

Problem

Note: Applies to Exchange 2019, 2016, and 2013.

This is pretty much PART TWO, of presenting ‘Exchange Web Services’ using Web Application Proxy. Back in PART ONE we looked at publishing OWA and ECP, and that required having an ADFS server. To present the other web services, e.g Outlook Anywhere, Exchange Active Sync, Offline address book etc. You don’t need ADFS, you simply use ‘pass through‘ authentication with your WAP Server, directly to Exchange.

Solution

Before you start, you need to make sure in addition to the DNS records we used for OWA and ECP, you also need to be able to publicly resolve your Autodiscover record. I prefer doing this with public SRV records, see the following article for clarification;

Creating an AutoDiscover SRV Record

You now need, to make sure that the URLs that Exchange uses for it’s web services are set correctly, to do that use the following PowerShell commands;

[box]

Get-OutlookAnywhere |select InternalHostname,ExternalHostname
Get-OABVirtualDirectory |select InternalUrl,ExternalUrl
Get-ActiveSyncVirtualDirectory |select InternalUrl,ExternalUrl
Get-WebServicesVirtualDirectory |select InternalUrl,ExternalUrl
Get-MapiVirtualDirectory |select InternalUrl,ExternalUrl
Get-ClientAccessService |select AutoDiscoverServiceInternalUri

[/box]

 


Make sure your internal URLS are resolvable inside and your external/public URL’s are resolvable outside, (To the public IP address of your WAP Server).

Exchange URLS To Publish with WAP

As with the URLs we published previously remember to publish them with a trailing ‘slash’. You need to publish and ‘Reverse Proxy‘ the following URLs;

Outlook Anywhere: https://mail.ubique.com/rpc/  
Offline Address Book: https://mail.ubique.com/oab/
Active-Sync: https://mail.ubique.com/Microsoft-Server-ActiveSync/
Exchange Web Services: https://mail.ubique.com/EWS/  
MAPI: https://mail.ubique.com/MAPI/
Autodiscover: https://mail.ubique.com/Autodiscover/

Note: Obviously your domain will have a different name!

Publish Outlook Anywhere with WAP

From the ‘Remote Access Management Console’ > Publish > Next.

Select ‘Pass-Through’ > Next.

Give the Published rule a sensible name like “Outlook Anywhere” > Enter the URL’s, and select your public certificate > Next.

Publish.

Close

Publish Active Sync with WAP

Active Sync is required for phones and mobile devices that cannot use Outlook Anywhere. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Offline Address Book with WAP

Offline Address Book is required by devices to download a cached copy of the global address list. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange Web Services with WAP

Exchange Web Services allow clients to access calendars, contacts and scheduling information remotely. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange MAPI with WAP

Mail Application Programming Interface (over HTTPS) if the default connection protocol in modern Exchange deployments. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange Web Services with WAP

If you’ve used Exchange since version 2007, you will know how important Autodiscover is, (probably because of the headaches caused when it’s not setup correctly!) To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Final Sanity Check

When complete, your WAP settings should look like this, (this is for all the pass-through, AND ADFS published settings).

Once setup correctly, Outlook should work fine externally, like so;

Related Articles, References, Credits, or External Links

NA

Exchange – ‘Not all the required authentication methods were found’

KB ID 0001180 

Problem

I had to visit a client who had recently gone through an Exchange migration, now his external mail clients were having a nightmare staying connected to Outlook Anywhere. I ran the Exchange connectivity tester and got this;

Additional details
Not all the required authentication methods were  found
Methods Found: Basic
Methods Required: NTLM

 

Solution

Looks like an open and shut case, someone forgot to enable Windows Authentication on the ‘rpc’ virtual directory in Exchange, and when I looked, it wasn’t so I enabled it, like so;

Now I was feeling smug, and enjoying a coffee before I left site, when it went off again? As it happens, not only do you need to set it correctly in IIS, but if someone has set it incorrectly in Exchange, then Exchange wins! As you can see by my query below;

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic} << OOPS! :(
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:26
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 01/10/2015 12:34:26
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:37
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 01/10/2015 12:34:37
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

Well that explains the error! To fix that;

[box]

[PS] C:\Windows\system32>get-outlookanywhere | set-outlookanywhere -iisauthentication ntlm, basic

[/box]

Now let’s check again.

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm} << BOOM :)
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:55
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 02/10/2015 12:13:55
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:58
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 02/10/2015 12:13:58
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

 

Related Articles, References, Credits, or External Links

NA

Exchange 2010 – Working with Certificates

KB ID 0000453

Problem

Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.

The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.

Solution

Certificate Vendors

Buy Your Exchange Certificates Here!

 

Related Articles, References, Credits, or External Links

NA

Exchange 2007 & 2010 – Setup and Deploy Outlook Anywhere

KB ID 0000519 

Problem

What used to be a fiddly job, is now very simple to do, setting up Outlook Anywhere (formally known at RPC over HTTP) takes about 10 minutes.

What is Outlook Anywhere?

This is a system that lets you connect Microsoft Outlook to to your Exchange server over the web, this means you can connect to to your email, calendaring and tasks etc, without the need for a VPN connection.

Solution

Outlook Anywhere with Exchange 2007 (Exchange 2010 Skip to Step1)

If you plan to deploy Outlook Anywhere with Exchange 2007 there is an additional step you need to carry out before you start. From server manager > Feature > Add Features > Add in the ‘RPC over HTTP Proxy’ feature before you start. (Note: you DONT need to do this if you are running SBS 2008).

Step 1 Configure Exchange

1. First we need to turn it on: from within the Exchange Management, expand Server configuration > Client Access > Select the server in the central pane > Select “Enable Outlook anywhere” in the action pane.

2. Enter the publicly addressable name of your Exchange server, for this example I’m using NTLM authentication > Enable.

Note: The external host name is the address that you would type into a browser to contact the Exchange server i.e. for Outlook Web Access http://mail.domaina.com/owa. This would mean the public name is mail.domaina.com. This name must be the Common Name (CN) on the Exchange server’s digital certificate.

Exchange 2010 – Working with Certificates

3. Take heed of the information, nothing’s going to work for 15 minutes (Even Exchange is telling you to apply the cup of coffee rule) > Go and have a hot milky beverage.

4. Look at the timestamps and the clocks, this one took 14 minutes (for once the dialog had it spot on!) You should see Event ID 3007, 3003, 3004,(all these are normal) and finally,

5. Event ID 3006 > Outlook Anywhere is up and running on the server. (Note: you will NOT see this on an Exchange 2007 Server, see the second screenshot).

Note: To Access from Outside your network the public name of the Exchange server (in this case mail.domain.com), needs TCP port 443 (HTTPS) open to it, or “Port Forwarded” to the Exchange server.

Note2: To work internally make sure that mail.domaina.com resolves to the INTERNAL IP address of the Exchange server.

6. You may also want to execute the following command. Particularly if you use SBS, which has a habit of setting remote.publicdomain.com as the default outside name.

[box] Set-WebServicesVirtualDirectory –Identity ‘EXCHANGE-MAILEWS (Default Web Site)’ –ExternalUrl https://mail.domain.co.uk/ews/exchange.asmx[/box]  

Step 2 Configure Outlook for Outlook Anywhere

1. In this example I’m using Outlook 2010 and the mail profile/account has NOT been setup, if you already have an account edit it, select “More Settings” and jump to number 4.

Note: To support Outlook Anywhere you need a minimum of Outlook 2003 SP2

2. If you are setting up your Outlook client internally, the autodiscover service should fill in the details for you.

3. If it auto configures the settings for you, tick the box to manually configure server settings.

4. More Settings.

5. Connection Tab > Tick “Connect to Microsoft Exchange Server using HTTP” > Click “Exchange Proxy Settings”.

6. Put on the URL (Public name of Exchange – see step 1 number 2) > I’m using NTLM authentication you may be using basic, if you don’t know, check with your IT department, or try each one.

7. Security Tab > Ensure “Encrypt data between Microsoft Outlook and Microsoft Exchange” is selected.

8. Restart Outlook – you may be asked for your username and password again this is normal.

 

Related Articles, References, Credits, or External Links

Original article written: 04/10/11

Exchange 2010 – Working with Certificates

Buy Your Exchange Certificates Here!