Changing Outlook 2010/2013 & 2016 connectivity companywide to use MAPI/HTTPS caveats and steps ?

OK, so which Outlook client updates that I need to make sure first for all Outlook edition?

is there any outage required at the server or email flow impacted perhaps?

Mapi/Http should be the default protocol for Exchange 2016. Was it disabled by someone before (and if so, maybe it was for a reason?)?

What is your current setting using the below command?

Get-OrganizationConfig | fl *mapi*


Also, don't forget that MAPI/HTTP could also be disabled per user/mailbox via the Set-CASMailbox command or via a registry key on the client side.

I'm using Exchange server 2013 SP1 standard edition.
While my outlook clients are ranging from 2010-2016

Does Outlook 2010 and older can't use MAPI/HTTPS connection after I set with the Powershell above ?

OK, so in this case, I assume I need to standardize the name space (owa.domain.com) and the Autodiscover.domain.com for all of my CAS server, and then let DNS Round Robin distribute the Outlook client connection to any CAS server ?

Hi,

Standardizing the name space is best practice and if possible using split DNS (so internal and external URL are the same but internally the URL will resolve to the internal IP of your Exchange server(s) and externally will resolve to your public IP of your Exchange servers).

DNS Round Robin is supported and will work fairly well but it is not true high availability / load balancing like a real load balancer of course.



Please don't forget to mark comments as answer if they are a satisfactory response to your query.

Hi All,

All of my Exchange Server 2013 CAS has been configured with the below command:

For example PRODMBX20-VM

#OWA
Set-OWAVirtualDirectory –Identity "PRODMBX20-VM\owa (Default Web Site)" -ExternalURL "https://owa.domain.com/owa" 
Set-OWAVirtualDirectory –Identity "PRODMBX20-VM\owa (Default Web Site)" -InternalURL "https://owa.domain.com/owa"

#OAB
Set-OABVirtualDirectory –Identity "PRODMBX20-VM\OAB (Default Web Site)" -ExternalURL "https://owa.domain.com/OAB" 
Set-OABVirtualDirectory –Identity "PRODMBX20-VM\OAB (Default Web Site)" -InternalURL "https://owa.domain.com/OAB"

#ECP
Set-ECPVirtualDirectory –Identity "PRODMBX20-VM\ecp (Default Web Site)" -ExternalURL "https://owa.domain.com/ecp" 
Set-ECPVirtualDirectory –Identity "PRODMBX20-VM\ecp (Default Web Site)" -InternalURL "https://owa.domain.com/ecp"

#EWS
Set-WebServicesVirtualDirectory –Identity "PRODMBX20-VM\EWS (Default Web Site)" -ExternalUrl "https://owa.domain.com/EWS/Exchange.asmx"
Set-WebServicesVirtualDirectory –Identity "PRODMBX20-VM\EWS (Default Web Site)" -InternalUrl "https://owa.domain.com/EWS/Exchange.asmx"

#ActiveSync
Set-ActiveSyncVirtualDirectory –Identity "PRODMBX20-VM\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL "https://owa.domain.com/Microsoft-Server-ActiveSync"
Set-ActiveSyncVirtualDirectory –Identity "PRODMBX20-VM\Microsoft-Server-ActiveSync (Default Web Site)" -InternalURL "https://owa.domain.com/Microsoft-Server-ActiveSync"

#MAPI
Set-MapiVirtualDirectory -Identity "PRODMBX20-VM\mapi (Default Web Site)" -InternalUrl "https://PRODMBX20-VM.domain.com/mapi" -IISAuthenticationMethods NTLM,Negotiate

#CAS Autodiscover URI
Set-ClientAccessServer -Identity PRODMBX20-VM -AutoDiscoverServiceInternalUri "https://PRODMBX20-VM.domain.com/autodiscover/autodiscover.xml"
 
#Outlook Anywhere
Set-OutlookAnywhere -Identity "PRODMBX20-VM\Rpc (Default Web Site)" -InternalHostname "owa.domain.com" -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic
Set-OutlookAnywhere -Identity "PRODMBX20-VM\Rpc (Default Web Site)" -ExternalHostname "owa.domain.com" -ExternalClientAuthenticationMethod Ntlm -ExternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic

Does it means if I execute the Powershell below on PRODMAIL20-VM to change to use MAPI, there will be a massive outage or Outlook client popped up with re-logon prompt ?

Set-MapiVirtualDirectory -Identity "PRODMAIL20-VM\mapi (Default Web Site)" –InternalURL https://owa.domain.com/mapi -ExternalUrl https://owa.domain.com/mapi -IISAuthenticationMethods Negotiate
Set-MapiVirtualDirectory -Identity "PRODMAIL30-VM\mapi (Default Web Site)" -InternalURL https://owa.domain.com/mapi -ExternalUrl https://owa.domain.com/mapi -IISAuthenticationMethods Negotiate
Set-OrganizationConfig -MapiHttpEnabled $true
Get-OrganizationConfig | fl *mapi*

Select allOpen in new window

I have done this change in a production environment and there should not be massive outage but every change has the potential to have impact so it's better to do it after hours and to test properly. It wouldn't be a bad idea to recycle the Autodiscover app pool either.

is exchange published through some kinde of reverse proxy to external users?

No, it is directly published to the user without anything in front.
No Load Balancer or any kind.

Did you get a satisfactory response to your query or is there anything else still unclear? If you find that you have been helped adequately, please don't forget to mark a response as answer. Thank you!

If there is no load balancer or reverse proxy then there is nothing else to be done. In case you  would have a reverse proxy you would have to make sure that the MAPI/HTTP protocol is published on it.

Hi IT System Engineer, is there anything else you need help with? Otherwise it would be kind to close the question by marking an answer as (assisted) solution. Thanks!

Do I need to use Office 2013 or newer clients to avoid ensure user does not prompted by this issue ?

2010 can also work but it has to be up-to-date, the following versions will work:

•      Outlook 2016
•      Outlook 2013
•      Outlook 2010 SP2 and updates KB2956191 and KB2965295
•      Outlook for Mac for Office 365
•      Outlook for Mac 2011

What do you mean by "prompted by this issue", a credential popup?

I just wanted to confirm that there is no users got prompted with some error message or to relogin on the credentials window after I run:

Set-MapiVirtualDirectory -Identity "PRODMAIL20-VM\mapi (Default Web Site)" –InternalURL https://owa.domain.com/mapi -ExternalUrl https://owa.domain.com/mapi -IISAuthenticationMethods Negotiate
Set-MapiVirtualDirectory -Identity "PRODMAIL30-VM\mapi (Default Web Site)" -InternalURL https://owa.domain.com/mapi -ExternalUrl https://owa.domain.com/mapi -IISAuthenticationMethods Negotiate
Set-OrganizationConfig -MapiHttpEnabled $true
Get-OrganizationConfig | fl *mapi*

Select allOpen in new window

Well, Outlook clients must be updated to use MAPI/HTTP. Office 2013 SP1 or Office 365 ProPlus February update (SP1 equivalent for ProPlus) are required for MAPI/HTTP. It is recommend you deploy the May Office 2013 public update or the April update for Office 365 ProPlus to eliminate the restart prompt when MAPI/HTTP is enabled for users.

Outlook 2010 was updated to support MAPI/HTTP in the January 2015 Public Update, and additional fixes for it were released in the April 2015 Public Update.

Thanks !