Disabling Outlook Anywhere & Avoiding Unnecessary Authentication Prompts for Certain Mailboxes


So this is a complicated scenario but only because this particular customer made it that way; in fact the solution ended up being very simple.

Scenario:

One of my Consultant co-workers pinged me on an issue he was sorting through at a customer site. They were using UAG for their Outlook Anywhere endpoint, both internally & externally. They had a policy to only allow Outlook Anywhere for roughly 30% of their user base. They were enforcing this using AD group membership in UAG to block access to the Outlook Anywhere rule for all users except for those on the allowed list.

Not only was this a nightmare to manage but it also caused Outlook Authentication prompts in certain scenarios. I’ll explain:

When internal Outlook users moved between wired & wireless networks (or vice versa), Outlook would be disconnected just long enough for it to attempt an Outlook Anywhere connection over HTTPS (since the RPC/MAPI connection didn’t reconnect quite fast enough for Outlook’s liking). Well since they were using NTLM for Outlook Anywhere this didn’t really pose a problem for the users who had been allowed to use the OA rule in UAG. However, the users who had been blocked (the majority of their users) would get Outlook auth prompts.

This raised another question from the Consultant & the client; why does enabling Outlook Anywhere on your Client Access Server result in all Outlook clients being enabled for Outlook Anywhere? Shouldn’t there be a method to disable it by default & only enable it via AutoDiscover in Outlook on the mailboxes we choose? Well I’m not Microsoft so I couldn’t answer that but what I was able to do was give them a much better solution going forward which wouldn’t require the hassle of managing group membership for the UAG rule.

Background:

When you enable Outlook Anywhere on your Client Access Server (Exchange 2007/2010), AutoDiscover will then start handing out information to all Outlook Clients on how to connect via OA if a direct RPC/MAPI/TCPIP isn’t available. This allows external Outlook clients to connect to their Mailbox without the use of a VPN.

Exchange AutoDiscover hands these out using what’s called Outlook Providers. These allow Administrators & Exchange itself to differentiate between the various settings used with Outlook Anywhere VS direct RPC/MAPI/TCPIP connections.

The EXCH Outlook Provider is used to hand out settings used when connecting via RPC/MAPI/TCPIP while the EXPR Outlook Provider is used to hand out settings when connecting via Outlook anywhere (RPC over HTTPS). You can view the settings of each by running Get-OutlookProvider | Format-List.

This is the response received using the Test E-mail AutoConfiguration utility in Outlook for a mailbox after Outlook Anywhere has been enabled in the environment. This image shows the EXCH settings.
1

This image shows the EXPR settings received in the same AutoDiscover response. These are the settings Outlook will use to connect to Outlook Anywhere if it needs to. Notice here it says “Exchange HTTP” for the Protocol opposed to “Exchange RPC” in the previous image.
2

Below you’ll find the XML response from the “XML” tab of the Test E-mail AutoConfiguration utility. You can see the settings for both the EXCH & EXPR Outlook Providers.

<Protocol>

        <Type>EXCH</Type>

        <Server>CASArrayAustin.contoso.local</Server>

        <ServerDN>/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CASArrayAustin.contoso.local</ServerDN>

        <ServerVersion>7383807B</ServerVersion>

        <MdbDN>/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CASArrayAustin.contoso.local/cn=Microsoft Private MDB</MdbDN>

        <PublicFolderServer>EX10A.contoso.local</PublicFolderServer>

        <AD>ausdc.contoso.local</AD>

        <ASUrl>https://mail.ash.org/ews/exchange.asmx</ASUrl&gt;

        <EwsUrl>https://mail.ash.org/ews/exchange.asmx</EwsUrl&gt;

        <EcpUrl>https://mail.ash.org/ecp/</EcpUrl&gt;

        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>

        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>

        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>

        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>

        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>

        <OOFUrl>https://mail.ash.org/ews/exchange.asmx</OOFUrl&gt;

        <UMUrl>https://mail.ash.org/ews/UM2007Legacy.asmx</UMUrl&gt;

        <OABUrl>https://mail.ash.org/oab/69ed661e-c685-4ae2-a284-da308d7bd480/</OABUrl&gt;

      </Protocol>

<Protocol>

        <Type>EXPR</Type>

        <Server>oa.ash.org</Server>

        <SSL>On</SSL>

        <AuthPackage>Basic</AuthPackage>

        <ASUrl>https://mail.ash.org/ews/exchange.asmx</ASUrl&gt;

        <EwsUrl>https://mail.ash.org/ews/exchange.asmx</EwsUrl&gt;

        <EcpUrl>https://mail.ash.org/ecp/</EcpUrl&gt;

        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>

        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>

        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>

        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>

        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>

        <OOFUrl>https://mail.ash.org/ews/exchange.asmx</OOFUrl&gt;

        <UMUrl>https://mail.ash.org/ews/UM2007Legacy.asmx</UMUrl&gt;

        <OABUrl>https://mail.ash.org/oab/69ed661e-c685-4ae2-a284-da308d7bd480/</OABUrl&gt;

      </Protocol>

      <Protocol>

This image shows the actual Outlook Anywhere settings being configured on the client as a result of the AutoDiscover EXPR response. (File>Account Settings>Change>More Settings>Connection)
3

Resolution:

So the solutions here is actually fairly easy & oddly enough, not well known. The Set-CASMailbox command can be used to block a particular mailbox from accessing various Client Access features. In this case we can use it to block Outlook Anywhere for John’s Mailbox. (Note: This command can also be scripted or piped to take effect on any number of mailboxes in the environment).

Set-CASMailbox –Identity John –MAPIBlockOutlookRpcHttp $True

After running this command you may need to wait about 15min for AD replication to take effect as well as 15min for AutoDiscover, Outlook Anywhere, & ultimately Outlook to take the change. To speed this process up you can recycle the MSExchangeAutodiscoverAppPool in IIS as well as restart the Microsoft Exchange Service Host service on each CAS.

Now, if you run Test E-mail AutoConfiguraton you’ll see that the Outlook client doesn’t even get the EXPR response because they’ve had that feature blocked.

4

Now if you look at the Outlook Anywhere settings (below) in Outlook, they are no longer even configured/enabled. Now in my lab using Outlook 2013 I had to actually perform a profile repair to get this change to take effect immediately. You will likely either have to wait longer for it to take effect or manually repair the profile.

5

So in this customer’s case, users who were not allowed to use Outlook Anywhere would not get the Outlook Authentication prompt when moving from internal wired to wireless or vice versa because their Outlook client never attempted the Outlook Anywhere connection; they just remained in a disconnected state until the new connection came fully online.

Also, after showing the customer this command they no longer had to rely on UAG to control who could or couldn’t access Outlook Anywhere; they could now just script the Set-CASMailbox command.

Advertisements

Publish Exchange 2010 with TMG (cont)


Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 3/4 active sync)

Configure Active sync rule on TMG

  1. Open Forefront TMG
  2. Click on image_thumb5[1]
  3. In the Action Pane under Task click  image_thumb6[2]
  4. Give the rule a Name ill name mine “2010 Activesync”
  5. image
  6. Next –> Next
  7. image
  8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
  9. image
  10. The external name is what you use to access active sync(Also needs to be on the cert)
  11. image
  12. Select the Listener OA listener created on Part 2.
  13. image_thumb24[1]
  14. image
  15. image
  16. Finish
  17. Now Outlook anywhere is published!
  • Go Back To OWA
  • Go Back to Outlook anywhere

  • Move on to SMTP

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP

  • Understanding the Self-Signed Certificate in Exchange 2007


     

    Understanding the Self-Signed Certificate in Exchange 2007: Exchange 2007 Help

    I have been saying for a long time now that you need to use a well known 3rd party multiname cert if you want to use ActiveSync or outlook anywhere.

    MS now agrees with me 🙂

     

                      image

    When you create a certificate request you want to include the following:

    • autodiscover.domain.com
    • mail.domain.com (mail = your external name)
    • host.domain.local

    Here is an example of a cert request

    New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, O=Company, CN=mail.domain.com" -domainname mail.domain.com,autodiscover.domain.com,hostname,hostname.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt

    And the import after you get the cert back

    Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap