Solved

Exchange 2010 prefers to HTTPS

Posted on 2013-01-07
8
435 Views
Last Modified: 2013-01-11
Hi we are looking to kill MAPI. We are running Exchange 2010 with Outlook 2010  Number of reasons for want to kill MAPI.

Before I shut it off on the server I want to do some testing on my Outlook.

What is the best way make my outlook only talk to exchange through HTTPS.  
I have under connection in Outlook
The correct settings for https
The check box for Connect using SSL only

Unchecked the On fast networks connect …(same for slow)

When I do connection status for outlook under “Conn” I still have “TCP/IP” I believe it should be HTTPS

Any help would be great I’m not even sure if I should be looking at a preference setting on the server or if I am missing something on the client

Thanks
0
Comment
Question by:RSlimmon
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38752914
Both ways exchange will use  (RPC for exchange server) , but one is over http/s.

if you face problems with MAPI, i dont think switch to outlook anywhere will solve them...

anyway,  had you restarted the outlook when you are teasing ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38752926
you really can't kill mapi for internal clients unless you make the exchange server unreachable except on port 443

what do you mean by 'shut down the server' what server are  you refering to
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 38753318
Microsoft has gotten a lot better with managing MAPI connections and it's draw on system resources.  That being said your external clients do they connect to Exchange 2010 via Outlook Anywhere? Have you looked at the connections screen on one of those?  What do you see?

By default with Exchange 2010 and Outlook 2010 your connections will be over HTTPS for the most part.  I'm leaning towards Akhater's post that I don't think you don't want to turn off MAPI so to speak.  You would want to block it by using the Windows firewall would probably be the simplest.

When Exchange was installed did you tell it that there were older version of clients that will be needing to connect? Did you tell it you would be using Public Folders?

Just a few thoughts and questions...
0
 

Author Comment

by:RSlimmon
ID: 38754885
Thanks all for posting

The main reason we want to kill MAPI is because we have to have a secure form of transportation (encryption) but the Riverbeds do not like to do acceleration with encryption on MAPI.  They will accurate with HTTPS.

When the server was setup yes we said there was older clients.  Those are now gone.  And Public folder are still around.  Do I need MAPI for Public folders?  I did not think so.  

When I say shut down the server I mean turn off MAPI ports to the server (just block the ports) unless there is a better way?  

So really I guess my real question here is what is the best way to deal with Riverbeds not accelerating outlook traffic?

My plan was to switch everyone over to RPC using HTTPS.  What would you suggest?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Expert Comment

by:jodiddy
ID: 38755735
That is the best plan just switch everyone over to RPC over HTTPS.  Since you selected Exchanged to support older clients and PF's I think you might be stuck with MAPI.  That being said older clients like Outlook 2003/Exchange 2003 heavily relied on MAPI connections, at were not secure by default.  Outlook 2010/Exchange 2010 not so much, and is secure by default.

Basically when using RPC over HTTPS or Outlok Anywhere the MAPI commands are sent through the secure tunnel via the HTTPS protocols.

What I'm getting at is MAPI is still required with Exchange.  The MAPI connections are secure and funneled through secure tunnels but underneath it all Exchange is still using MAPI.

To make clients connect over HTTPS you can block HTTP to your server, or put put redirects in IIS to force all communications over SSL/HTTPS.  You can do the same internally by blocking off the MAPI ports on your Windows Firewall.  That will make Outlook have to use the HTTPS protocols for the connections.

So blocking the ports is not a bad idea!

Riverbeds accelerates WAN traffic right? So are we talking about users coming in from the Outside or Internal users?
0
 

Author Comment

by:RSlimmon
ID: 38755797
in our inviroment Riverbeds accelrate domain connected sites.  IE Vancover to Calgary, Calgary to Toronto  

So are you saying so long as I only have outlook 2010 and newer clients.  All i would have to do is Block the HTTP ports and click teh "Connect to Microsoft Exchange ussing HTTP" under Outlook Anywhere  

Then click the Exchange Proxy Settings
under there put in my https:// url for my exchange
Check the use SSL only

That's it?
Public folders will still work and everything?
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 38755878
Well, from the Outlook standpoint yes.  

From the server standpoint no, there are additional steps. So you are accelerating domain connected sites.

Exchange can be configured to ONLY allow SSL/HTTPS traffic for connectivity purposes

For starters both you internal and external URL's need to be HTTPS for all the CAS items (OWA, ECP, ActiveSync, OAB). I'm thinking the only one that has a HTTP url is OAB, as that is how the Exchange 2010 servers I have seen have been configured by default.

Then there are IIS configurations that will probably need to be made manually as well, unless you want to blow out virtual directories and have Exchange create fresh ones.

There are a couple virtual directories that like HTTP traffic, OAB and powershell, so those two will most likely require some special attention. The powershell vdir is used for management (ie ECM, and Powershell for Exchange) by default those connect via HTTP.  Blocking HTTP may prevent remote management of Exchange, since you will be blocking internally.

OAB is the Offline Address Book, I'm thinking that setting both internal and external urls to SSL/HTTPS will resolve that vdir from caring about HTTP traffic. May need to be removed and created again since the default setting is HTTP for internal traffic.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 38756430
again the only way to switch to rpc over http is in fact to block the RPC ports from cleints to the server. other than outlook will connect using RPC no matter if the checkbox is enabled or not in outlook. and yes public folder will work

there is something else to do also is that the cas array name and/or the cas server name should not be resolvable or else you will experience delays
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now