orbisuser
asked on
User cannot send mail to external contacts using Outlook
Dear Experts,
I have a user in an affiliate office that currently uses MS Outlook 2010 to manage a corporate Google Mail account.
We want to provide users at this office e-mail services hosted on our Exchange 2003 Server.
I setup an Exchange account on their Outlook client using Outlook Anywhere (via HTTP proxy) that appears to be working, however the user cannot send to external contacts, only other domain users. They get a dialog box that simply says 'Operation Failed,' but not error details. When the user logs directly into OWA, they can send to anybody. So it must be an issue w/ Outlook.
Sorry I did not check the error logs. The user's computer is not on our domain and I was using Cisco WebEx to troubleshoot. I'm thinking there are several possibilities as to why this is happening:
1. Is it possible that configuring Outlook to use Google Mail changed a MAPI setting? I'm not sure why Outlook would not allow user to send to external.
2. I thought maybe that there was an issue with which account was set as default for Send/Receive, but if set correctly, this should not be a problem.
3. Also, I thought that it may be a domain rights issue, but the user must authenticate when accessing the Exchange account and the user object in AD is subject to the same GPO as all others.
Please let me know if I've left out any critical information. Any assistance would be greatly appreciated.
Thanks,
ORBIS
I have a user in an affiliate office that currently uses MS Outlook 2010 to manage a corporate Google Mail account.
We want to provide users at this office e-mail services hosted on our Exchange 2003 Server.
I setup an Exchange account on their Outlook client using Outlook Anywhere (via HTTP proxy) that appears to be working, however the user cannot send to external contacts, only other domain users. They get a dialog box that simply says 'Operation Failed,' but not error details. When the user logs directly into OWA, they can send to anybody. So it must be an issue w/ Outlook.
Sorry I did not check the error logs. The user's computer is not on our domain and I was using Cisco WebEx to troubleshoot. I'm thinking there are several possibilities as to why this is happening:
1. Is it possible that configuring Outlook to use Google Mail changed a MAPI setting? I'm not sure why Outlook would not allow user to send to external.
2. I thought maybe that there was an issue with which account was set as default for Send/Receive, but if set correctly, this should not be a problem.
3. Also, I thought that it may be a domain rights issue, but the user must authenticate when accessing the Exchange account and the user object in AD is subject to the same GPO as all others.
Please let me know if I've left out any critical information. Any assistance would be greatly appreciated.
Thanks,
ORBIS
ASKER
Yes, users Outlook client is correctly configured to connect to our Exchange using RPC. They can receive mail from anybody, but they can only send to domain e-mail addresses. They are unable to send to external (non-domain) contacts.
VPN is an option we've discussed, but our policies would required that their workstations were folded into our domain environment if they were able to access our LAN.
Besides, my understanding was that Outlook Anywhere feature enabled users to connect to the Exchange server regardless of network as long as they had a WAN access to the Exchange front end.
I'm guessing there's an issue with the way the Outlook client is currently configured, but I can't figure it out.
VPN is an option we've discussed, but our policies would required that their workstations were folded into our domain environment if they were able to access our LAN.
Besides, my understanding was that Outlook Anywhere feature enabled users to connect to the Exchange server regardless of network as long as they had a WAN access to the Exchange front end.
I'm guessing there's an issue with the way the Outlook client is currently configured, but I can't figure it out.
When the user logs in to OWA, they are successfully authenticating to the server, and so their mail to remote domains is being relayed out. Apparently, with Outlook, they are not successfully authenticating, so any mail they try to send out, they don't have permission to, because it's a relay.
Can you mention the steps you followed for configuring the Outlook?
I am interested to know "Exchange Proxy Settings" , "Proxy Authentication". Security tab "Logon Network Security" and "Encryption"
I am interested to know "Exchange Proxy Settings" , "Proxy Authentication". Security tab "Logon Network Security" and "Encryption"
We have Outlook configured with Autodiscover, but I have that configured to hand out these settings:
Security tab: Encryption checked, User Identification (always prompt for credentials) unchecked.
Connection tab, Exchange Proxy Settings:
URL: https://email.contoso.com
Connect using SSL only checked, Only connect to proxy servers that have this principal name in their certificate checked: msstd:*.contoso.com
(I'm using msstd:*.contoso.com because we're using a wildcard certificate, and that's the FQDN that's actually in the certificate. If you're using a SAN certificate, or a single-name certificate, pick the name you want to use from the cert.)
On fast networks, use HTTP first unchecked. On slow networks use HTTP first checked.
NTLM Authentication is selected.
----
Question: let's say you have Outlook configured not to use Outlook Anywhere, but to just connect with MAPI. How does it work then? Test that out; if it works without OA turned on, then you know it's an OA configuration that's the problem.
Also, when you have Outlook open, do a ctrl+right click on the Outlook tray icon, and choose "Connection Status" to see whether something maybe isn't connected. You can also do "Test autoconfiguration" there to see what autodiscover is actually handing Outlook right now for URLs.
Security tab: Encryption checked, User Identification (always prompt for credentials) unchecked.
Connection tab, Exchange Proxy Settings:
URL: https://email.contoso.com
Connect using SSL only checked, Only connect to proxy servers that have this principal name in their certificate checked: msstd:*.contoso.com
(I'm using msstd:*.contoso.com because we're using a wildcard certificate, and that's the FQDN that's actually in the certificate. If you're using a SAN certificate, or a single-name certificate, pick the name you want to use from the cert.)
On fast networks, use HTTP first unchecked. On slow networks use HTTP first checked.
NTLM Authentication is selected.
----
Question: let's say you have Outlook configured not to use Outlook Anywhere, but to just connect with MAPI. How does it work then? Test that out; if it works without OA turned on, then you know it's an OA configuration that's the problem.
Also, when you have Outlook open, do a ctrl+right click on the Outlook tray icon, and choose "Connection Status" to see whether something maybe isn't connected. You can also do "Test autoconfiguration" there to see what autodiscover is actually handing Outlook right now for URLs.
ASKER
Thank you for your responses. The Outlook Anywhere is configured the same as your example, except we're using Basic Authentication. Would this make a difference?
I'm interested in your comment about user authentication and relay. My assumption was that Outlook Anywhere would authenticate the user against the Exchange front end the same as if you logged on to OWA using the website. But I might be wrong here.
I will change to NTLM Authentication and see if that makes a difference.
Unfortunately, because the client is not on the same network, I cannot use MAPI unless the user VPN into our network. I will test connection status and autoconfiguration on the client and get back to you.
Thanks,
ORBIS
I'm interested in your comment about user authentication and relay. My assumption was that Outlook Anywhere would authenticate the user against the Exchange front end the same as if you logged on to OWA using the website. But I might be wrong here.
I will change to NTLM Authentication and see if that makes a difference.
Unfortunately, because the client is not on the same network, I cannot use MAPI unless the user VPN into our network. I will test connection status and autoconfiguration on the client and get back to you.
Thanks,
ORBIS
Wait, Exchange 2003 doesn't use autodiscover, so there's nothing you need to configure for that. Although Outlook 2010 does try to use autodiscover, I don't think Google mail uses autodiscover, so there's probably not some legacy setting getting in the way. (Still worth verifying, though.)
NTLM vs Basic auth shouldn't matter, I don't think.
The real thing is that getting OA to work in Exchange 2003 is annoying at best, especially in a FE/BE design, and even more especially when you're using Forms-Based-Authentication
NTLM vs Basic auth shouldn't matter, I don't think.
The real thing is that getting OA to work in Exchange 2003 is annoying at best, especially in a FE/BE design, and even more especially when you're using Forms-Based-Authentication
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-vpn-HP010102444.aspx
if not then other possibility would be to let user VPN into your network and then when connected its LAN and exchange which should work.