How to stop Microsoft Exchange 2013 pushing the Outlook Anywhere settings to all the outlook users.

Certificate issue in outlook while connecting to exchange after adding the external host name in outlook anywhere.

In Exchange 2013 Server, under Exchange Admin Center  -  Servers -  Outlook Anywhere -

Specify the external host name (for example, contoso.com) that users will use to connect to your organization.
By default it was Blank, Since i wanted to test the outlook anywhere feature for a user, I mentioned my external dyndns.org name here.

*Specify the internal host name (for example, contoso.com) that users will use to connect to your organization.
By default , my internal FQDN Name was already here.

Authentication method was - NTLM

Allow SSL Offloading was checked.,

Once i saved this, all of a sudden, 25% of  the users got the Certificate error while connecting to the exchange and were not able to connect. To get rid of this, I tried by importing the certificate from exchange to the local PC's, it worked fine for few users and they were connected to the exchange, but for other users, the error still remains and not able to connect. Then to bring it to normal, in exchange server, i removed the External Host name for the Outlook anywhere and restarted the server. The issue still remains, now its continuously prompting for the password in the outlook for few users. In the outlook, connect to Microsoft Exchange using Http gets automatically enabled and also all the exchange proxy settings gets enabled. I strong feel, due to this automatically enabling of the exchange proxy setting, i am getting prompted for the password.

I would like to know, how to sort this issue on the server side to bring it to normal. We can disable the outlook anywhere as no user is connecting from outside. What we want is only the internal Users should be able to connect to exchange through outlook.
zeeadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
Without enabling Outlook Anywhere you won't be able to run outlook in Exchange 2013 as it was an architectural changes.

Now, first check your OWA, EWS and ECP do you have any external URL published on all of them?

Which certificate you are using is it wild card?

Open OWA and which certificate is applied, may be wrong certificate is applied on IIS.

Also uncheck SSL Offloading as per MS best practice.
0
Simon Butler (Sembee)ConsultantCommented:
Outlook Anywhere is used by all clients for connection to Exchange 2013, so you cannot stop the settings being pushed out to the clients.

The best practise with Exchange 2013 is to use the same host name internally and externally, with a split DNS system configured to ensure the host name resolves internally to the internal IP address of the server.
http://semb.ee/hostnames2013

Simon.
0
zeeadminAuthor Commented:
I have checked the OWA, EWS and ECP, no External URL Published on them.
Please find the attached image. Is this what u were asking about the Wild Card?

How do i check if the correct certificate is used by the OWA?

My outlook automatically fetches this settings.

Use this URL to connect to my Proxy Server for Exchange
https://  test-dc.myserver.local

Connect using SSL ONLY - CHECKED
Only connect to proxy servers that have this principal name in their certificate: CHECKED
msstd:test-dc.myserver.local

Proxy Authentication settings is NTLM Authentication

The server was working fine earlier and the issue came up only when i gave the external host name in outlook anywhere. When i removed that external host name, it should go back to normal right as earlier?

This is a live server and fed up of enough complaints from the user, so what would be the best solution for me to resolve this. Strange thing is, the issue is not for all the users.  Or do i need to uninstall the exchange and reinstall it to get rid of this error? it will be a big task.
Exchange-certificate.jpg
OWA.jpg
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Simon Butler (Sembee)ConsultantCommented:
There is no need to reinstall Exchange.
If you follow the guidelines in my article above, removing all references to .local within Exchange, the error will go away.

Simon.
0
zeeadminAuthor Commented:
Thanks Simon for your positive comment.

As you mentioned, i will go with your article. Please let me know which section of your article will serve my purpose. Kindly guide me on which .local references to be removed.
0
Simon Butler (Sembee)ConsultantCommented:
Just complete the whole article, making the changes required so there are no references to .local within Exchange.

Simon.
0
zeeadminAuthor Commented:
Since i am not expert on exchange and this is a live production server, i am little worried and that makes me to throw many questions to you which will make me comfortable on getting closer to the solution.

As you mentioned, to remove the reference to .local.

My Exchange Server name  -  Test-DC
Domain name - myserver.local
FQDN - Test-dc.myserver.local

Currently my below directories has only the internal URL Name and not the external host names
OWA ( default Website ) Internal URL
https://test-dc.myserver.local/owa

EWS  ( default Website ) Internal URL
https://test-dc.myserver.local/EWS/Exchange.asmx

ECP   ( default Website ) Internal URL
 https://test-dc.myserver.local/ecp


Your article regarding the Autodiscover URL
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml 


In my case, will it be
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri
 https://test-dc.myserver/autodiscover/autodiscover.xml
  or will it be
 https://test-dc.myserver.local/autodiscover/autodiscover.xml



Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://test-dc.myserver/ews/exchange.asmx -ExternalUrl https://mail.example.net/ews/exchange.asmx

Since i do not have the external host names, shall i use this or i should skip it.  ExternalUrl https://test-dc.myserver/ews/exchange.asmx


After doing the above, Do i need to run the below script also as mentioned in the article or only the above is sufficient.

#Change this value to match the name of the external certificate
$URLName="mail.example.co.uk"
#Change this value to match the real name of the server
$ComputerName="exch-001"

Get-WebServicesVirtualDirectory -Server $ComputerName | Set-WebServicesVirtualDirectory -InternalUrl https://$URLNAME/ews/exchange.asmx -ExternalURL https://$URLNAME/ews/exchange.asmx
Set-OWAVirtualDirectory -identity "$computername\owa (Default Web Site)" -InternalURL https://$URLNAME/owa -ExternalURL https://$URLNAME/owa
Get-OABVirtualDirectory -Server $ComputerName | Set-OABVirtualDirectory -InternalURL https://$URLNAME/OAB -ExternalURL https://$URLNAME/OAB
Get-ECPVirtualDirectory -Server $ComputerName | Set-ECPVirtualDirectory -InternalURL https://$URLNAME/ECP -ExternalURL https://$URLNAME/ECP
Get-MAPIVirtualDirectory -Server $ComputerName | Set-MAPIVirtualDirectory -InternalURL https://$URLNAME/MAPI -ExternalURL https://$URLNAME/MAPI -IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server $ComputerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$URLNAME/Microsoft-Server-ActiveSync -ExternalURL https://$URLNAME/Microsoft-Server-ActiveSync
Set-OutlookAnywhere -identity "$computername\RPC (Default Web Site)" -ExternalHostname $URLNAME -InternalHostname $URLNAME -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Set-ClientAccessServer -Identity $ComputerName -AutodiscoverServiceInternalUri https://$URLNAME/Autodiscover/Autodiscover.xml


In the above script, where ever there is ExternalHostname  menitoned, do i need to give the external host name as i do not have any external host names or i need to give the same internal url to the external also.

Simons, thanks in advance for patiently going through my messages and responding. I am gonna hit the last nail. So please guide me.
0
Simon Butler (Sembee)ConsultantCommented:
If you have a trusted SSL certificate on the server with the external host name (as you cannot put internal only host names on SSL certificates any longer) then you need to run the script to change all references internally to the external host name.
You also HAVE to configure a split DNS so that the external host name resolves internally to the internal IP address of the server.

The only way you can use an internal only certificate is when there will be NO external access to this server at all - no OWA, no ActiveSync, no Outlook Anywhere. Use of the internally generated SSL certificate is not supported for use with Outlook Anywhere (Externally) or ActiveSync.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zeeadminAuthor Commented:
Simon, As i had mentioned earlier that if i unchecked the below settings under exchange proxy settings in outlook, the outlook worked perfectly, the moment i close and open the outlook, the default settings appear again.

Connect using SSL ONLY

Only connect to proxy servers that have this principal name in their certificate:
msstd:test-dc.myserver.local

Since i knew it would work if i disable the SSL, i used the below command.

Set-OutlookAnywhere -Identity:"EX2013\rpc (Default Web Site)" -InternalClientsRequireSsl $false

Now the outlook for all the users works perfectly without any error of certificate or Prompting of passwords.

Simon, thanks for your Article.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.