qvfps
asked on
Outlook Anywhere not configuring from outside the network
I recently setup an Exchange server. I have OWA working form both inside and outside the network. While on the internal network I configured my Outlook client to communicate over HTTP and set the proxy address to mail.myco.com. With it configured that way I can use Outlook both on the network and over the network.
Now I would like to setup our external users the same way. I tried to do a manual setup and use the same settings I used while connected to the network. However when I click on the check names button or click next it prompts me for a username and password and will not accept anything I enter. It just keeps prompting me for the log in information
Is there anything else i need to configure?
Now I would like to setup our external users the same way. I tried to do a manual setup and use the same settings I used while connected to the network. However when I click on the check names button or click next it prompts me for a username and password and will not accept anything I enter. It just keeps prompting me for the log in information
Is there anything else i need to configure?
have you tried using domain\username or username@myco.com?
ASKER
I have tried the following. To connect while on the internal network it would be root-myco\username
username
domain.internal\username
externaldomain\username
domain.internal\email address
externaldomain\email address
username
domain.internal\username
externaldomain\username
domain.internal\email address
externaldomain\email address
If your setup for ssl then the remote users will need the certificate installing on their machines
You can test Outlook Anywhere from www.testexchangeconnectiviy.com
What version of Exchange are you running? Have you tried Basic authentication under the Outlook HTTP proxy settings? Also are you using the "connect to servers with this principal name in their certificate" option? Try unticking that, at least for now.
What version of Exchange are you running? Have you tried Basic authentication under the Outlook HTTP proxy settings? Also are you using the "connect to servers with this principal name in their certificate" option? Try unticking that, at least for now.
Do you have the required Service Location (SRV) DNS records for your company's domain to facilitate auto-discovery on the public DNS servers?
http://support.microsoft.com/kb/940881
http://www.msexchange.org/tutorials/Uncovering-New-Outlook-2007-Discover-Service.html
http://support.microsoft.com/kb/940881
http://www.msexchange.org/tutorials/Uncovering-New-Outlook-2007-Discover-Service.html
What version of Outlook & Exchange ?
Launch outlook with the /rpcdiag switch whilst internal to ensure they are actually using RPC/HTTPS - sounds to me like they are falling back to RPC.
Can external clients connect alright to your webmail, via SSL without any certificate prompts ?
Have you remembered to install the rpc proxy ? (Sounds daft but it's always the last thing I remember to do!)
Launch outlook with the /rpcdiag switch whilst internal to ensure they are actually using RPC/HTTPS - sounds to me like they are falling back to RPC.
Can external clients connect alright to your webmail, via SSL without any certificate prompts ?
Have you remembered to install the rpc proxy ? (Sounds daft but it's always the last thing I remember to do!)
ASKER
We are running Exchange 2010 and Outlook 2010. OWA works fine with no certificate prompt. Autodiscover was not configured externally which is why i was trying to set it up manually.
I was using negotiate security which works on the computer which I setup internally. And I am using the same computer to try and setup a new profile so there should be no problem witth the certificate since Outlook Anywhere already works on it. I just can not setup any additional profiles.
I was using the current profile which works externally to try and create a new profile. I copied all the settings and used them to create a new profile. I just cannot get past the initial check name.
I was using negotiate security which works on the computer which I setup internally. And I am using the same computer to try and setup a new profile so there should be no problem witth the certificate since Outlook Anywhere already works on it. I just can not setup any additional profiles.
I was using the current profile which works externally to try and create a new profile. I copied all the settings and used them to create a new profile. I just cannot get past the initial check name.
Did you try changing the HTTP proxy auth to Basic?
Did you try unticking the "only connect to proxy servers with this principal name in their cert" tickbox?
Have you tried testing from www.testexchangeconnectivity.com to verify you are not getting an autodiscover response e.g. Like where you have a catchall for *.yourdomain.com so autodiscover.yourdomain.co m actually resolves to an IP even though you don't want it to.
Did you try unticking the "only connect to proxy servers with this principal name in their cert" tickbox?
Have you tried testing from www.testexchangeconnectivity.com to verify you are not getting an autodiscover response e.g. Like where you have a catchall for *.yourdomain.com so autodiscover.yourdomain.co
ASKER
I ran the Outlook Anywhere connectivity test from www.testexchangeconnectivity.com and I received the following error
Testing HTTP Authentication Methods for URL https://mail.ddpsinc.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
I tried to set the authentication method for Outllook Anywhere using the command
set-outlookAnywhere -ClientAuthenticationMetho d but it is prompting me for Identity.
How do I find out what the identity should be? i tried servername\RPC
Is there anywhere i can look that up?
Testing HTTP Authentication Methods for URL https://mail.ddpsinc.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
I tried to set the authentication method for Outllook Anywhere using the command
set-outlookAnywhere -ClientAuthenticationMetho
How do I find out what the identity should be? i tried servername\RPC
Is there anywhere i can look that up?
Have you installed SP1 on Exchange 2010 ? That breaks RPC/HTTPS ... simple fix changing authentication type, though.
ASKER
I installed Exchange from the Disk below which includes SP1
SW_DVD9_NTRL_Exchange_Svr_ 2010_X64_M ultiLang_1 _ProdAct_w SP1_X17-13 445.ISO
SW_DVD9_NTRL_Exchange_Svr_
Try get-outlookanywhere to see the Identity
OK, negotiate doesn't work with SP1 afaik - just choose basic - safe enough with SSL but mean internal people may be prompted
ASKER
I ran the get-OutlookAnwhere cmdlet and it says security is already set to basic. On the Proxy settings I have set it to Basic but on the security tab the only options are NTLM/kerberos/Negotiate/sm art card. I have tried both NTLM which works on the original profile and negotiate but It will not pass the check name.
I dont understand what is different if I set it up while connected to the network or outside the network. I can log in successfully from outside the network if I configured it while on the internal network using NTLM for both the security and the proxy settings
I dont understand what is different if I set it up while connected to the network or outside the network. I can log in successfully from outside the network if I configured it while on the internal network using NTLM for both the security and the proxy settings
It sounds like it's an rpc mapping issue which binds the netbios name to fqdn name... have you tried both FQDN and Netbiod names when attrempting to get names underlined ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I connected to https://mail.ddpsinc.com/rpc/rpcproxy.dll and connected using root-myco\username
I did not receive a cert warning and received a blank screen after I connected.
I did not receive a cert warning and received a blank screen after I connected.
ASKER
Below is the output from get-OutlookAnyWhere
RunspaceId : 52818e8a-adsn79y7d-j7yd-n7 7asjkoau7d
ServerName : myserver
SSLOffloading : False
ExternalHostname : mail.myco.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic}
XropUrl :
MetabasePath : IIS://myserver.root-myco.i nternal/W3 SVC/1/ROOT /Rpc
Path : C:\Windows\System32\RpcPro xy
ExtendedProtectionTokenChe cking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : myserver
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols ,CN=myserv er,CN=Serv ers,CN=Exc hang
e Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative Groups,CN=myco,CN=Microsof
t Exchange,CN=Services,CN=Co nfiguratio n,DC=root- myco,DC=in ternal
Identity : myserver\Rpc (Default Web Site)
Guid : 52818e8a-adsn79y7d-j7yd-n7 7asjkoau7d
ObjectCategory : root-myco.internal/Configu ration/Sch ema/ms-Exc h-Rpc-Http -Virtual-D irectory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect ory}
WhenChanged : 2/22/2011 11:34:04 PM
WhenCreated : 2/22/2011 11:34:04 PM
WhenChangedUTC : 2/23/2011 4:34:04 AM
WhenCreatedUTC : 2/23/2011 4:34:04 AM
OrganizationId :
OriginatingServer : myrootserver.root-myco.int ernal
IsValid : True
RunspaceId : 52818e8a-adsn79y7d-j7yd-n7
ServerName : myserver
SSLOffloading : False
ExternalHostname : mail.myco.com
ClientAuthenticationMethod
IISAuthenticationMethods : {Basic}
XropUrl :
MetabasePath : IIS://myserver.root-myco.i
Path : C:\Windows\System32\RpcPro
ExtendedProtectionTokenChe
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : myserver
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols
e Administrative Group (FYDIBOHF23SPDLT),CN=Admin
t Exchange,CN=Services,CN=Co
Identity : myserver\Rpc (Default Web Site)
Guid : 52818e8a-adsn79y7d-j7yd-n7
ObjectCategory : root-myco.internal/Configu
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect
WhenChanged : 2/22/2011 11:34:04 PM
WhenCreated : 2/22/2011 11:34:04 PM
WhenChangedUTC : 2/23/2011 4:34:04 AM
WhenCreatedUTC : 2/23/2011 4:34:04 AM
OrganizationId :
OriginatingServer : myrootserver.root-myco.int
IsValid : True
Are you putting the mail.myco.com value in as your external name in outlook and is that name on your cert?
As per the link already posted: http://support.microsoft.com/kb/940881 add a SRV record to your external DNS so outlook should autodiscover the correct settings instead of you putting them in manually.
ASKER
On the certificate I have the following
mail.myco.com
www.mail.myco.com
root-myco.internal
myserver.root-myco.interna l
When I connect with the profile that is working I use root-myco\username but I have tried
root-myco.internal\usernam e and myserver.root-myco.interna l\username as well on the new profile
mail.myco.com
www.mail.myco.com
root-myco.internal
myserver.root-myco.interna
When I connect with the profile that is working I use root-myco\username but I have tried
root-myco.internal\usernam
Try the email address as the username
ASKER
I have tried all of these
email address
root-myco\email address
root-myco.internal\email address
email address
root-myco\email address
root-myco.internal\email address
Add a SRV record to your external DNS so we can see if Outlook is picking up the settings at all
ASKER
It will take some time to get it setup, I will have to request someone else make the change.
Since I am not using autodiscover should I realy need the srv records?
Since I am not using autodiscover should I realy need the srv records?
Well it will make your life a lot easier, if you want to add any more external clients in the future.
ASKER
I dont what changed but I can connect now.
I pulled out a different PC and created a new profile and it connected with no problem. I then went back to the one I was using, deleted the profile I was using and created a new one and connected with no problem.
I used the same settings i had already tried several times and it went through.
I pulled out a different PC and created a new profile and it connected with no problem. I then went back to the one I was using, deleted the profile I was using and created a new one and connected with no problem.
I used the same settings i had already tried several times and it went through.
See if the test from www.testexchangeconnectivity.com now and see if that works too now.
ASKER
The test fails on the same spot. Trying to Ping the RPC server. SInce our firewall blocks incoming Pings this is not a surprise.
ASKER
Thanks for all the replies. I have setup almost all of the outside uses. I have one who is having an issue but I will try and connect and set his up remotely.
Thanks for the points, what do you think happened to start it all working?
ASKER
I wish I new exactly what resolved the issue. When I finally got it to work I had not made any changes for a while, just checked all the settings and run as many different tests as I could to try and identify the issue. .
I did discover that I can not change an existing profile to work with Outlook Anywhere (HTTPS) I can only get it setup if I create a new profile.
Originally I tried to change an existing profile so I would not have to resynchronize the mailbox. When I could not get that to work I tried creating a new profile and eventually I deleted that one as well and created another one which worked.
I appreciate the time and the suggestions.
I did discover that I can not change an existing profile to work with Outlook Anywhere (HTTPS) I can only get it setup if I create a new profile.
Originally I tried to change an existing profile so I would not have to resynchronize the mailbox. When I could not get that to work I tried creating a new profile and eventually I deleted that one as well and created another one which worked.
I appreciate the time and the suggestions.