Solved

Is there a way to add an Outlook client outside the network if autodiscover is not in the certificate?

Posted on 2014-09-22
15
610 Views
Last Modified: 2014-10-07
Is there a way to join an Outlook client outside of the network when autododiscover is not in the cert? Can I create a stand alone cert for the client or change authentication for him if his computer is not joined to the domain and he is outside the network? This is the only error on the Microsoft anaylyzer:

Testing TCP port 443 on host company.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
0
Comment
Question by:JRome225
  • 7
  • 7
15 Comments
 
LVL 32

Expert Comment

by:it_saige
ID: 40336762
What Outlook client is the user connecting with?  Have you validated your settings with https://testconnectivity.microsoft.com/ (perform both of the Microsoft Office Outlook Connectivity Tests).

-saige-
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337272
Outlook 2013,  I ran the testconnectivity and got the before mentioned error when trying autodiscover.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337330
I assume then that 443 is forwarded on your external firewall?

Because if it is, then you can manually specify the RPC proxy, the Exchange server, the Mutual authentication principal name and the authentication method (these settings would normally be passed automatically by the Autodiscover service).

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337353
What are the settings for your ExternalClientAuthenticationMethod and ExternalClientsRequireSsl for the OutlookAnywhere service?

Get-OutlookAnywhere will provide this information.

-saige-
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337547
Correct, the router is forwarding 443 to the server. Here are the external settings:


ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337576
Do you have other clients that connect externally?  Also when you run the Connectivity tests, do you manually configure the settings?

-saige-
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337639
no other clients are using it outside the network. When I ran the manual test it came back good with the exception of this error:

The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:JRome225
ID: 40337663
Since the user's computer is not on the domain I changed the authentication type to basic and ran a connectivity test which failed with this error:

Attempting to ping the MAPI Mail Store endpoint with identity: servername:6001.
       The attempt to ping the endpoint failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.
Elapsed Time: 760 ms.
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337680
Could I turn the outside ssl off or do you know a simple authentication setting I can use to get it to connect to RPC?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40337696
If you do not have any other users externally, then yes you could.  I, however, would not leave it that way.  The better resolution would be to get a UCC cert that includes autodiscover.mydomain.com.

As a matter of completeness, domain membership not does not matter in this situation.  The user is connecting to a web service (OutlookAnwhere formerly known as RPC over HTTPs).  OutlookAnywhere verifies the users ability to connect by way of the domain username and password.

This how people can use their smart phones to send and receive Exchange emails.

-saige-
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337945
The phones are working fine but this user is unable to connect to Exchange. What are the settings you recommend for the single user to connect with Outlook Anywhere?
0
 
LVL 1

Author Comment

by:JRome225
ID: 40337949
Im getting this error when I set everything to Basic:

Attempting to ping RPC proxy mail.newbeginningsarc.com.
       RPC Proxy can't be pinged.
       
      Additional Details
       
An unexpected network-level exception was encountered. Exception details:
Message: The remote server returned an error: (404) Not Found.
Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
Stack trace:
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (404) Not Found.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
Elapsed Time: 1103 ms.
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40338973
Here is the thing, autodiscover is a feature added to you exchange server to help "away" users to find their servers in an easy way.  This doesn't mean you must use it!!!

As long as you know the address of your server you should be ok, no extra SSL.

Just don't let outlook to do the work, setup your server manually or using a combination but I recommend manually.  There you should put the internal server name "eserver1.domain.local" then the username "supertester@yourdomain.com" then click on more settings, go to the connection tab, enable outlook anywhere and open proxy settings, enter your server name: "mail.yourdomail.com" and in the "Only connect to proxy...." section add "msstd:mail.yourdomain.com" finally select your authentication method then ok, apply, next... the connection should be established if you have everything right and it will ask for the user password, remember to include domain\username and choose to save the password.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40339053
What is the output of this cmdlet:

Get-OutlookProvider

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40339075
These are the settings that I can glean from our postings thus far:

RPC Proxy Server is: mail.newbeginningsarc.com
and
Mutual authentication principal name is: msstd.mail.newbeginningsarc.com
Authentication method is Basic

-saige-
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

If you don't know how to downgrade, my instructions below should be helpful.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now