User cannot send mail to external contacts using Outlook

orbisuser
orbisuser used Ask the Experts™
on
Dear Experts,

I have a user in an affiliate office that currently uses MS Outlook 2010 to manage a corporate Google Mail account.

We want to provide users at this office e-mail services hosted on our Exchange 2003 Server.

I setup an Exchange account on their Outlook client using Outlook Anywhere (via HTTP proxy) that appears to be working, however the user cannot send to external contacts, only other domain users.  They get a dialog box that simply says 'Operation Failed,' but not error details.  When the user logs directly into OWA, they can send to anybody.  So it must be an issue w/ Outlook.

Sorry I did not check the error logs.  The user's computer is not on our domain and I was using Cisco WebEx to troubleshoot.  I'm thinking there are several possibilities as to why this is happening:

1.  Is it possible that configuring Outlook to use Google Mail changed a MAPI setting? I'm not sure why Outlook would not allow user to send to external.

2.  I thought maybe that there was an issue with which account was set as default for Send/Receive, but if set correctly, this should not be a problem.

3.  Also, I thought that it may be a domain rights issue, but the user must authenticate when accessing the Exchange account and the user object in AD is subject to the same GPO as all others.

Please let me know if I've left out any critical information.  Any assistance would be greatly appreciated.

Thanks,
ORBIS
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kash2nd Line Engineer

Commented:
how is the user account configured. Using exchange so i take it you have gone into mail and then configured extra settings. i.e: outlook anywhere.

http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-vpn-HP010102444.aspx

if not then other possibility would be to let user VPN into your network and then when connected its LAN and exchange which should work.

Author

Commented:
Yes, users Outlook client is correctly configured to connect to our Exchange using RPC.  They can receive mail from anybody, but they can only send to domain e-mail addresses.  They are unable to send to external (non-domain) contacts.

VPN is an option we've discussed, but our policies would required that their workstations were folded into our domain environment if they were able to access our LAN.

Besides, my understanding was that Outlook Anywhere feature enabled users to connect to the Exchange server regardless of network as long as they had a WAN access to the Exchange front end.

I'm guessing there's an issue with the way the Outlook client is currently configured, but I can't figure it out.

Commented:
When the user logs in to OWA, they are successfully authenticating to the server, and so their mail to remote domains is being relayed out. Apparently, with Outlook, they are not successfully authenticating, so any mail they try to send out, they don't have permission to, because it's a relay.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Can you mention the steps you followed for configuring the Outlook?
I am interested to know "Exchange Proxy Settings" , "Proxy Authentication". Security tab "Logon Network Security" and "Encryption"

Commented:
We have Outlook configured with Autodiscover, but I have that configured to hand out these settings:

Security tab: Encryption checked, User Identification (always prompt for credentials) unchecked.

Connection tab, Exchange Proxy Settings:

URL: https://email.contoso.com
Connect using SSL only checked, Only connect to proxy servers that have this principal name in their certificate checked: msstd:*.contoso.com

(I'm using msstd:*.contoso.com because we're using a wildcard certificate, and that's the FQDN that's actually in the certificate. If you're using a SAN certificate, or a single-name certificate, pick the name you want to use from the cert.)

On fast networks, use HTTP first unchecked. On slow networks use HTTP first checked.

NTLM Authentication is selected.

----

Question: let's say you have Outlook configured not to use Outlook Anywhere, but to just connect with MAPI. How does it work then? Test that out; if it works without OA turned on, then you know it's an OA configuration that's the problem.

Also, when you have Outlook open, do a ctrl+right click on the Outlook tray icon, and choose "Connection Status" to see whether something maybe isn't connected. You can also do "Test autoconfiguration" there to see what autodiscover is actually handing Outlook right now for URLs.

Author

Commented:
Thank you for your responses.  The Outlook Anywhere is configured the same as your example, except we're using Basic Authentication.  Would this make a difference?

I'm interested in your comment about user authentication and relay.  My assumption was that Outlook Anywhere would authenticate the user against the Exchange front end the same as if you logged on to OWA using the website.  But I might be wrong here.

I will change to NTLM Authentication and see if that makes a difference.

Unfortunately, because the client is not on the same network, I cannot use MAPI unless the user VPN into our network.  I will test connection status and autoconfiguration on the client and get back to you.

Thanks,
ORBIS

Commented:
Wait, Exchange 2003 doesn't use autodiscover, so there's nothing you need to configure for that. Although Outlook 2010 does try to use autodiscover, I don't think Google mail uses autodiscover, so there's probably not some legacy setting getting in the way. (Still worth verifying, though.)

NTLM vs Basic auth shouldn't matter, I don't think.

The real thing is that getting OA to work in Exchange 2003 is annoying at best, especially in a FE/BE design, and even more especially when you're using Forms-Based-Authentication. I haven't done it in a while myself, but I can tell you I didn't like it. It was much easier to stand up an Exchange 2007 CAS/HT server, and enable OA on that, and keep using the 2003 back end.
Another associate has Outlook on his home PC configured with his work Exchange account, and he is able to send to external parties from his Exchange account.  I think google docs must make some change to the MAPI settings that is creating the problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial