Exchange 2010 prefers to HTTPS

Posted on 2013-01-07
Medium Priority
Last Modified: 2013-01-11
Hi we are looking to kill MAPI. We are running Exchange 2010 with Outlook 2010  Number of reasons for want to kill MAPI.

Before I shut it off on the server I want to do some testing on my Outlook.

What is the best way make my outlook only talk to exchange through HTTPS.  
I have under connection in Outlook
The correct settings for https
The check box for Connect using SSL only

Unchecked the On fast networks connect …(same for slow)

When I do connection status for outlook under “Conn” I still have “TCP/IP” I believe it should be HTTPS

Any help would be great I’m not even sure if I should be looking at a preference setting on the server or if I am missing something on the client

Question by:RSlimmon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38752914
Both ways exchange will use  (RPC for exchange server) , but one is over http/s.

if you face problems with MAPI, i dont think switch to outlook anywhere will solve them...

anyway,  had you restarted the outlook when you are teasing ?
LVL 49

Expert Comment

ID: 38752926
you really can't kill mapi for internal clients unless you make the exchange server unreachable except on port 443

what do you mean by 'shut down the server' what server are  you refering to

Expert Comment

ID: 38753318
Microsoft has gotten a lot better with managing MAPI connections and it's draw on system resources.  That being said your external clients do they connect to Exchange 2010 via Outlook Anywhere? Have you looked at the connections screen on one of those?  What do you see?

By default with Exchange 2010 and Outlook 2010 your connections will be over HTTPS for the most part.  I'm leaning towards Akhater's post that I don't think you don't want to turn off MAPI so to speak.  You would want to block it by using the Windows firewall would probably be the simplest.

When Exchange was installed did you tell it that there were older version of clients that will be needing to connect? Did you tell it you would be using Public Folders?

Just a few thoughts and questions...
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 38754885
Thanks all for posting

The main reason we want to kill MAPI is because we have to have a secure form of transportation (encryption) but the Riverbeds do not like to do acceleration with encryption on MAPI.  They will accurate with HTTPS.

When the server was setup yes we said there was older clients.  Those are now gone.  And Public folder are still around.  Do I need MAPI for Public folders?  I did not think so.  

When I say shut down the server I mean turn off MAPI ports to the server (just block the ports) unless there is a better way?  

So really I guess my real question here is what is the best way to deal with Riverbeds not accelerating outlook traffic?

My plan was to switch everyone over to RPC using HTTPS.  What would you suggest?

Expert Comment

ID: 38755735
That is the best plan just switch everyone over to RPC over HTTPS.  Since you selected Exchanged to support older clients and PF's I think you might be stuck with MAPI.  That being said older clients like Outlook 2003/Exchange 2003 heavily relied on MAPI connections, at were not secure by default.  Outlook 2010/Exchange 2010 not so much, and is secure by default.

Basically when using RPC over HTTPS or Outlok Anywhere the MAPI commands are sent through the secure tunnel via the HTTPS protocols.

What I'm getting at is MAPI is still required with Exchange.  The MAPI connections are secure and funneled through secure tunnels but underneath it all Exchange is still using MAPI.

To make clients connect over HTTPS you can block HTTP to your server, or put put redirects in IIS to force all communications over SSL/HTTPS.  You can do the same internally by blocking off the MAPI ports on your Windows Firewall.  That will make Outlook have to use the HTTPS protocols for the connections.

So blocking the ports is not a bad idea!

Riverbeds accelerates WAN traffic right? So are we talking about users coming in from the Outside or Internal users?

Author Comment

ID: 38755797
in our inviroment Riverbeds accelrate domain connected sites.  IE Vancover to Calgary, Calgary to Toronto  

So are you saying so long as I only have outlook 2010 and newer clients.  All i would have to do is Block the HTTP ports and click teh "Connect to Microsoft Exchange ussing HTTP" under Outlook Anywhere  

Then click the Exchange Proxy Settings
under there put in my https:// url for my exchange
Check the use SSL only

That's it?
Public folders will still work and everything?

Expert Comment

ID: 38755878
Well, from the Outlook standpoint yes.  

From the server standpoint no, there are additional steps. So you are accelerating domain connected sites.

Exchange can be configured to ONLY allow SSL/HTTPS traffic for connectivity purposes

For starters both you internal and external URL's need to be HTTPS for all the CAS items (OWA, ECP, ActiveSync, OAB). I'm thinking the only one that has a HTTP url is OAB, as that is how the Exchange 2010 servers I have seen have been configured by default.

Then there are IIS configurations that will probably need to be made manually as well, unless you want to blow out virtual directories and have Exchange create fresh ones.

There are a couple virtual directories that like HTTP traffic, OAB and powershell, so those two will most likely require some special attention. The powershell vdir is used for management (ie ECM, and Powershell for Exchange) by default those connect via HTTP.  Blocking HTTP may prevent remote management of Exchange, since you will be blocking internally.

OAB is the Offline Address Book, I'm thinking that setting both internal and external urls to SSL/HTTPS will resolve that vdir from caring about HTTP traffic. May need to be removed and created again since the default setting is HTTP for internal traffic.
LVL 49

Accepted Solution

Akhater earned 2000 total points
ID: 38756430
again the only way to switch to rpc over http is in fact to block the RPC ports from cleints to the server. other than outlook will connect using RPC no matter if the checkbox is enabled or not in outlook. and yes public folder will work

there is something else to do also is that the cas array name and/or the cas server name should not be resolvable or else you will experience delays

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question