Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2010 prefers to HTTPS

Posted on 2013-01-07
Medium Priority
Last Modified: 2013-01-11
Hi we are looking to kill MAPI. We are running Exchange 2010 with Outlook 2010  Number of reasons for want to kill MAPI.

Before I shut it off on the server I want to do some testing on my Outlook.

What is the best way make my outlook only talk to exchange through HTTPS.  
I have under connection in Outlook
The correct settings for https
The check box for Connect using SSL only

Unchecked the On fast networks connect …(same for slow)

When I do connection status for outlook under “Conn” I still have “TCP/IP” I believe it should be HTTPS

Any help would be great I’m not even sure if I should be looking at a preference setting on the server or if I am missing something on the client

Question by:RSlimmon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38752914
Both ways exchange will use  (RPC for exchange server) , but one is over http/s.

if you face problems with MAPI, i dont think switch to outlook anywhere will solve them...

anyway,  had you restarted the outlook when you are teasing ?
LVL 49

Expert Comment

ID: 38752926
you really can't kill mapi for internal clients unless you make the exchange server unreachable except on port 443

what do you mean by 'shut down the server' what server are  you refering to

Expert Comment

ID: 38753318
Microsoft has gotten a lot better with managing MAPI connections and it's draw on system resources.  That being said your external clients do they connect to Exchange 2010 via Outlook Anywhere? Have you looked at the connections screen on one of those?  What do you see?

By default with Exchange 2010 and Outlook 2010 your connections will be over HTTPS for the most part.  I'm leaning towards Akhater's post that I don't think you don't want to turn off MAPI so to speak.  You would want to block it by using the Windows firewall would probably be the simplest.

When Exchange was installed did you tell it that there were older version of clients that will be needing to connect? Did you tell it you would be using Public Folders?

Just a few thoughts and questions...
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 38754885
Thanks all for posting

The main reason we want to kill MAPI is because we have to have a secure form of transportation (encryption) but the Riverbeds do not like to do acceleration with encryption on MAPI.  They will accurate with HTTPS.

When the server was setup yes we said there was older clients.  Those are now gone.  And Public folder are still around.  Do I need MAPI for Public folders?  I did not think so.  

When I say shut down the server I mean turn off MAPI ports to the server (just block the ports) unless there is a better way?  

So really I guess my real question here is what is the best way to deal with Riverbeds not accelerating outlook traffic?

My plan was to switch everyone over to RPC using HTTPS.  What would you suggest?

Expert Comment

ID: 38755735
That is the best plan just switch everyone over to RPC over HTTPS.  Since you selected Exchanged to support older clients and PF's I think you might be stuck with MAPI.  That being said older clients like Outlook 2003/Exchange 2003 heavily relied on MAPI connections, at were not secure by default.  Outlook 2010/Exchange 2010 not so much, and is secure by default.

Basically when using RPC over HTTPS or Outlok Anywhere the MAPI commands are sent through the secure tunnel via the HTTPS protocols.

What I'm getting at is MAPI is still required with Exchange.  The MAPI connections are secure and funneled through secure tunnels but underneath it all Exchange is still using MAPI.

To make clients connect over HTTPS you can block HTTP to your server, or put put redirects in IIS to force all communications over SSL/HTTPS.  You can do the same internally by blocking off the MAPI ports on your Windows Firewall.  That will make Outlook have to use the HTTPS protocols for the connections.

So blocking the ports is not a bad idea!

Riverbeds accelerates WAN traffic right? So are we talking about users coming in from the Outside or Internal users?

Author Comment

ID: 38755797
in our inviroment Riverbeds accelrate domain connected sites.  IE Vancover to Calgary, Calgary to Toronto  

So are you saying so long as I only have outlook 2010 and newer clients.  All i would have to do is Block the HTTP ports and click teh "Connect to Microsoft Exchange ussing HTTP" under Outlook Anywhere  

Then click the Exchange Proxy Settings
under there put in my https:// url for my exchange
Check the use SSL only

That's it?
Public folders will still work and everything?

Expert Comment

ID: 38755878
Well, from the Outlook standpoint yes.  

From the server standpoint no, there are additional steps. So you are accelerating domain connected sites.

Exchange can be configured to ONLY allow SSL/HTTPS traffic for connectivity purposes

For starters both you internal and external URL's need to be HTTPS for all the CAS items (OWA, ECP, ActiveSync, OAB). I'm thinking the only one that has a HTTP url is OAB, as that is how the Exchange 2010 servers I have seen have been configured by default.

Then there are IIS configurations that will probably need to be made manually as well, unless you want to blow out virtual directories and have Exchange create fresh ones.

There are a couple virtual directories that like HTTP traffic, OAB and powershell, so those two will most likely require some special attention. The powershell vdir is used for management (ie ECM, and Powershell for Exchange) by default those connect via HTTP.  Blocking HTTP may prevent remote management of Exchange, since you will be blocking internally.

OAB is the Offline Address Book, I'm thinking that setting both internal and external urls to SSL/HTTPS will resolve that vdir from caring about HTTP traffic. May need to be removed and created again since the default setting is HTTP for internal traffic.
LVL 49

Accepted Solution

Akhater earned 2000 total points
ID: 38756430
again the only way to switch to rpc over http is in fact to block the RPC ports from cleints to the server. other than outlook will connect using RPC no matter if the checkbox is enabled or not in outlook. and yes public folder will work

there is something else to do also is that the cas array name and/or the cas server name should not be resolvable or else you will experience delays

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question