Link to home
Start Free TrialLog in
Avatar of RSlimmon

asked on

Exchange 2010 prefers to HTTPS

Hi we are looking to kill MAPI. We are running Exchange 2010 with Outlook 2010  Number of reasons for want to kill MAPI.

Before I shut it off on the server I want to do some testing on my Outlook.

What is the best way make my outlook only talk to exchange through HTTPS.  
I have under connection in Outlook
The correct settings for https
The check box for Connect using SSL only

Unchecked the On fast networks connect …(same for slow)

When I do connection status for outlook under “Conn” I still have “TCP/IP” I believe it should be HTTPS

Any help would be great I’m not even sure if I should be looking at a preference setting on the server or if I am missing something on the client

Avatar of Suliman Abu Kharroub
Suliman Abu Kharroub
Flag of Jordan image

Both ways exchange will use  (RPC for exchange server) , but one is over http/s.

if you face problems with MAPI, i dont think switch to outlook anywhere will solve them...

anyway,  had you restarted the outlook when you are teasing ?
you really can't kill mapi for internal clients unless you make the exchange server unreachable except on port 443

what do you mean by 'shut down the server' what server are  you refering to
Microsoft has gotten a lot better with managing MAPI connections and it's draw on system resources.  That being said your external clients do they connect to Exchange 2010 via Outlook Anywhere? Have you looked at the connections screen on one of those?  What do you see?

By default with Exchange 2010 and Outlook 2010 your connections will be over HTTPS for the most part.  I'm leaning towards Akhater's post that I don't think you don't want to turn off MAPI so to speak.  You would want to block it by using the Windows firewall would probably be the simplest.

When Exchange was installed did you tell it that there were older version of clients that will be needing to connect? Did you tell it you would be using Public Folders?

Just a few thoughts and questions...
Avatar of RSlimmon


Thanks all for posting

The main reason we want to kill MAPI is because we have to have a secure form of transportation (encryption) but the Riverbeds do not like to do acceleration with encryption on MAPI.  They will accurate with HTTPS.

When the server was setup yes we said there was older clients.  Those are now gone.  And Public folder are still around.  Do I need MAPI for Public folders?  I did not think so.  

When I say shut down the server I mean turn off MAPI ports to the server (just block the ports) unless there is a better way?  

So really I guess my real question here is what is the best way to deal with Riverbeds not accelerating outlook traffic?

My plan was to switch everyone over to RPC using HTTPS.  What would you suggest?
That is the best plan just switch everyone over to RPC over HTTPS.  Since you selected Exchanged to support older clients and PF's I think you might be stuck with MAPI.  That being said older clients like Outlook 2003/Exchange 2003 heavily relied on MAPI connections, at were not secure by default.  Outlook 2010/Exchange 2010 not so much, and is secure by default.

Basically when using RPC over HTTPS or Outlok Anywhere the MAPI commands are sent through the secure tunnel via the HTTPS protocols.

What I'm getting at is MAPI is still required with Exchange.  The MAPI connections are secure and funneled through secure tunnels but underneath it all Exchange is still using MAPI.

To make clients connect over HTTPS you can block HTTP to your server, or put put redirects in IIS to force all communications over SSL/HTTPS.  You can do the same internally by blocking off the MAPI ports on your Windows Firewall.  That will make Outlook have to use the HTTPS protocols for the connections.

So blocking the ports is not a bad idea!

Riverbeds accelerates WAN traffic right? So are we talking about users coming in from the Outside or Internal users?
in our inviroment Riverbeds accelrate domain connected sites.  IE Vancover to Calgary, Calgary to Toronto  

So are you saying so long as I only have outlook 2010 and newer clients.  All i would have to do is Block the HTTP ports and click teh "Connect to Microsoft Exchange ussing HTTP" under Outlook Anywhere  

Then click the Exchange Proxy Settings
under there put in my https:// url for my exchange
Check the use SSL only

That's it?
Public folders will still work and everything?
Well, from the Outlook standpoint yes.  

From the server standpoint no, there are additional steps. So you are accelerating domain connected sites.

Exchange can be configured to ONLY allow SSL/HTTPS traffic for connectivity purposes

For starters both you internal and external URL's need to be HTTPS for all the CAS items (OWA, ECP, ActiveSync, OAB). I'm thinking the only one that has a HTTP url is OAB, as that is how the Exchange 2010 servers I have seen have been configured by default.

Then there are IIS configurations that will probably need to be made manually as well, unless you want to blow out virtual directories and have Exchange create fresh ones.

There are a couple virtual directories that like HTTP traffic, OAB and powershell, so those two will most likely require some special attention. The powershell vdir is used for management (ie ECM, and Powershell for Exchange) by default those connect via HTTP.  Blocking HTTP may prevent remote management of Exchange, since you will be blocking internally.

OAB is the Offline Address Book, I'm thinking that setting both internal and external urls to SSL/HTTPS will resolve that vdir from caring about HTTP traffic. May need to be removed and created again since the default setting is HTTP for internal traffic.
Avatar of Akhater
Flag of Lebanon image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial