Configure Outlook Anywhere with 2 Accepted Domains?

Similar Messages

• Exchange 2013 - How to configure Outlook Anywhere with certificate based authentication?

  Hello,
  is it possible to secure Outlook Anywhere in Exchange 2013 with certficate based authentication?
  I found documentation to configure CBA for OWA and ActiveSync, but not for Outlook Anywhere.
  We would like to secure external access to the mailboxes via Outlook by using CBA.
  Thanks a lot in advance!
  Regards,
  André

  Hi,
  Let’s begin with the answer in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/e4b44ff0-4416-44e6-aa78-be4c1c03f433/twofactor-authentication-outlook-anywhere-2010?forum=exchange2010
  Based on my experience, Outlook client only has the following three authentication methods:Basic, NTML, Negotiate. And for more information about Security for Outlook Anywhere, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/bb430792(v=exchg.141).aspx
  If you have any question, please feel free to let me know.
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

  Hi
  I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
  The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
  However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.
  I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
  public certificates).
  I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
  Any advice would be appreciated.
  Steven

  Hi,
  Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
  In addition,
  While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
  Please also make sure that you have selected the
  External interface for the web listener to listen on.
  Besides, the link below would be helpful to you:
  OWA publishing using Kerberos Constrained Delegation
  method for authentication delegation
  Best regards,
  Susie

• ISA 2006 publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation

  Hi,
  I have two Exchange 2010 Sp1 CAS with Windows Network Loadbalancing. I set up an alternate Serviceaccount and mapped the http,ExchangeMDB,PRF and ExchangeAB SPNs.
  Then i published the Exchange Services via ISA 2006. OWA is working using Internet -> via NTLM -> ISA(webmail.domain.com) -> via KCD -> CAS-Array(ex2010.domain.com)
  I tried the same with Outlook Anywhere (RPC over HTTP) without success.
  Authentication to the ISA via NTLM works fine, but i think the isa server cannot delegate the Credentials successfully to the CAS-Server.
  The ISA Log looks like:
  Allowed Connection ISA 24.11.2011 15:50:40
  Log type: Web Proxy (Reverse)
  Status: 403 Forbidden
  Rule: Exchange 2010 RPC
  Source: Internal (172.16.251.33)
  Destination: (172.18.10.182:443)
  Request: RPC_OUT_DATA
  http://webmail.domain.com/rpc/rpcproxy.dll?ex2010.domain.com:6001
  Filter information: Req ID: 108b89d8; Compression: client=No, server=No, compress rate=0% decompress rate=0%
  Protocol: https
  So i always get a 403 Forbidden from the CAS.
  I the IIS logfile from the cas server i see this entry:
  2011-11-24 15:51:37 172.18.10.182 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.domain.com:6001 443 - <ISA IP> MSRPC 401 1 2148074254 203
  I use the same Listener for OWA and Outlook Anywhere. Authentication Methods are Basic and Integrated. I forward the request to a webfarm which exists of the two physical CAS. Internal Site Name is set to the NLB name ex2010.domain.com, SPN is set to http/ex2010.domain.com
  Thanks for your support

  Hi, i ran into the same Problem.
  the steps above solved mine too (Creating a custom AppPool which runs under LocalSystem).
  I wonder why they included only the Script: convertoabtovdir.ps1
  http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/dc24ccd3-378a-47cc-bbbf-48236f8fe5b0
  Ist this a supported configuration (changing AppPool of RPC)?

• Best Migration Method for Exchange 2007 with multiple accepted domains

  We are trying to determine which method would be best for us as we migrate to O365.  Scenario as follows:
  1) Multiple accepted domains (each in their own OU in AD); example: domainA.com, domainB.com
  2) Exchange is 2007; clients will be upgrading the Outlook 2013
  3) Would like to be able to sync mailboxes starting anytime but be able to cut over a domain at a time.
  Tested so far with staged migration but it appears that with this, there is a change in the TargetAddress sending all mail to the O365.  Even changing MXs didn't redirect the message as it reaches the Exchange box and immediately goes to O365.
  We haven't tried the cutover as we're only able to test with the production box and if that somehow cutover the entire box, we'd be .. well, it wouldn't be good.  
  Anyone had any experience so that our #3 point would be doable, that would be great.  
  Thx
  George

  Hi George,
  According to your description, I understand that the issue is related to Exchange migration from Exchange 2007 to Exchange Online for Office 365. This forum focuses on some general discussion about Office 365 ProPlus which
  is the version of Office that comes with many Office 365 plans. Therefore, I suggest we can post the issue in Microsoft Exchange Online (Office 365) forum for more professional suggestions:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=onlineservicesexchange
  Hope you can find the solution soon.
  Regards,
  Winnie Liang
  TechNet Community Support

• Autodiscover and Outlook Anywhere return http status 401

  Hi, I'm having issues with Autodiscovery (externally) and Outlook Anywhere for some users on our Exchange 2010 (SP3, RU2) setup. Just for information, we have Exchange servers at two AD sites (same forest / domain) with each site having 2 combined client
  access / hub transport servers and 3 mailbox servers (with 2 stretched DAG's across both sites). Site A is internet facing, but site B isn't.
  Autodiscovery
  Internally, it's working fine (using the Test E-mail AutoConfiguration option within Outlook 2010). But externally (using the Microsoft TestConnectivity site), autodiscovery fails, returning the following:
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  +Additional Details
     Elapsed Time: 1783 ms.
     + Test Steps
   The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL   https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
  for user [email protected].
   The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
    +Additional Details
    An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you    are attempting to log onto an Office 365 service, ensure you are using your
  full User Principal Name (UPN).
    Headers received:
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.company.com"
  The odd thing is, if I browse to the autodiscover file location (externally), then I'm prompted for credentials. When I enter the same credentials that I input into the Microsoft connectivity analyser, I do actually get the correct https status 600 response.
  Also, within EMS, when I run "Test-OutlookWebServices" on Client Access servers in site B, I see the following results...
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1104
  Type       : Error
  Message    : The certificate for the URL https://ExchServer.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate
  needs
                to have a subject of ExchServer.domain.local, but the subject that was found is webmail.Company.com. Consider correcting service discovery,
               or installing a correct SSL certificate.
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1113
  Type       : Error
  Message    : When contacting https://ExchServer.domain.local:443/autodiscover/autodiscover.xml received the error The remote server returned
  an error:
   (500) Internal Server Error.
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1123
  Type       : Error
  Message    : The Autodiscover service couldn't be contacted.
  However - I can't see where Exchange has pulled the "...domain.local" address from for Autodiscovery. Both Get-AutodiscoveryVirtualDirectory and Get-ClientAccessServer both report the correct URLs/URIs with the FQDN of Company.Com (which are on
  the GoDaddy certificate we use both internally and externally).
  Outlook Anywhere
  Whether my issues with Outlook Anywhere are related to Autodiscover, I'm not sure. Users who's mailbox is located at Site A (internet facing) are fine, and Outlook Anywhere works great. But users who's mailbox is at Site B, can't use Outlook Anywhere (Starting
  Outlook in RPCDiag mode shows that it tries to connect, and sometimes establishes a connection for a couple of seconds, then disconnects completely).
  Running "Test-OutlookConnectivity -Protocol:http" on a Client Access server at Site B, passes all but the last scenario (Mailbox::Logon), which throws up the following error:
  RunspaceId                  : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  ServiceEndpoint             : ExchServer.domain.local
  Id                          : MailboxLogon
  ClientAccessServer          : ExchServer.domain.local.ad.local
  Scenario                    : Mailbox::Logon.
  ScenarioDescription         :
  PerformanceCounterName      : Mailbox: Logon latency
  Result                      : Failure
  Error                       :
  UserName                    : ad.local\extest_a91a4b4076f24
  StartTime                   : 14/01/2014 16:33:27
  Latency                     : -00:00:00.0010000
  EventType                   : Error
  LatencyInMillisecondsString : -1.00
  Identity                    :
  IsValid                     : True
  Testing Outlook Anywhere using Microsoft RCA throws up the error:
  RPC Proxy can't be pinged.
  An HTTP 401 error was received...
  Any help is greatly appreciated. Let me know if I've missed any info!
  Thanks
  Tony

  Hi Guys,
  My first chance today to respond!
  Firstly - thanks for all the information. I really appreciate it.
  Well, the good news is that Outlook Anywhere is now working at Site B. It looks like a combination of disabling Outlook Anywhere at Site B (thanks
  Jon), and then being patient and allowing replication to do its stuff (thanks Rhoderck).
  However RCA is still showing ‘Failed’ with the following error. If it helps to have the full output, please let me know. Just for info, I chose
  the option to test using autodiscovery (rather than manually enter it), which passed fine.
  Attempting to ping RPC proxy webmail.company.com.
  RPC Proxy can't be pinged.
  Additional Details
  An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password.
  If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN). Headers received: Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate,NTLM X-Powered-By: ASP.NET Date: Tue, 21 Jan
  2014 09:55:41 GMT Content-Length: 58
  Elapsed Time: 1063 ms.
  RPCProxy - ValidPorts
  Thanks for the 'SoundTrackOfMyLife' link... that looks to be almost identical to my scenario (with the exception of the Kemp LoadMasters). Following
  through the troubleshooting, my CAS servers at Site A (Internet Facing) are showing the registry key 'ValidPorts' as...
  SiteB-ExchCasSvr01:593;SiteB-ExchCasSvr01:49152-65535
  So - should this be...
  SiteB-ExchMbxSvr01:6001-6002;SiteB-ExchMbxSvr01:6004;SiteB-ExchMbxSvr01.domain.local:6001-6002;SiteB-ExchMbxSvr01.domain.local:6004;
  i.e. I only add ports 6001,6002 and 6004 for mailbox servers only? If so, which sites mailbox servers should I put in here?
  SSL Off Loading
  We've only really implemented SSL Offloading on the advice from Kemp (it's built in to their Exchange 2010 template). Apparently, the advantage
  is the LoadMasters have a dedicated hardware processor for decryption/encryption of SSL traffic, thus taking the load off the Exchange servers. Exactly how much of a load this would normally be for our Exchange servers is unknown. We've followed Kemp's documentation
  on unchecking 'Require SSL' for the IIS directories on Site A, and also configured Outlook Anywhere with SSL Offloading through the EMC. This was required as the Kemp's are not re-encrypting traffic to the CAS servers (which are on the same site / LAN
  segment), and we're not a bank... so don't need encryption between the LoadMasters and the client access servers.
  However, Site B (non internet facing) has 'Require SSL' enabled on IIS directories, since (I guess) traffic is encrypted when performing CAS-CAS
  proxying?
  I am, as ever, open to suggestions on this design... since our original design was to use TMG for reverse proxy. It was only the end-of-life issue
  with TMG, and the fact that we opted for the Kemp LoadMasters (which offered ESP as a replacement to TMG) that swung us down this path.
  ESP and SSO are implements on the LoadMaster at Site A (internet facing), which is (was!) not the problem site.
  Thanks again for your time and assistance guys. We’re almost there!
  Tony

• Outlook is not connecting through Workgroup Machine over internet using Outlook Anywhere

  users can connect successfully using outlook anywhere over internet if machine are on domain, well problem with workgroup machine that are not connecting over the internet as outlook keep prompting password well i have configured outlook Anywhere with
  default negotiate authentication as well as ssl offloading is checked and using same name for internal and external urls. also have valid 3rd party certificate configured on server.
  Talha Faraz Malik

  Hi,
  Step 1 :In addition to that , please use remote connectivity analyzer to check outlook anywhere in internet .
  From that we came to know the exact error .
  Step 2: Most of the organisations are having an ISA or TMG firewall to create web published rules for exchange services .In case if you have you need to check the rule created for outlook anywhere is properly configured or not.
  If you have such kind of firewall's ,You can test the OA rule by using the option test rule in ISA or TMG firewall .
  Most probably you can able to find out the exact cause with the help of EXRCA.
  Please reply me if you have any queries.
  Regards
  S.Nithyanandham

• ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

  Hi
  I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
  machines with internal certificates only.
  I have the following infrastructure setup:
  ISA 2006 SP1 - Server 2003 R2 / SP2
  -Allows UDP 4500/500 and TCP 443
  -Hosted on VMWare ESXi 5
  Test laptop - Windows 7
  External Firewall static NAT's from a public IP to ISA server and allows the following:
  UDP 4500/500
  Protocol 50/51
  IPSEC policy configured on the ISA server:
  -IP Filter List = DMZ IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  IPSEC policy configured on the Windows 7 Test Laptop:
  -IP Filter List = External (public) IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  So far the following works:
  I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
  If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server. 
  If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server.  I note the following:
  -HTTPS is denied with no rule (an allow rule is present)
  -Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
  -The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
  -The event log shows main mode and quick mode as successful.
  -The IPSEC monitor shows SA's for quick mode and main mode.
  If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received.  I guess this is part of AH.  I have tried the following:
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
  -Disable the following in the ISA server registry and reboot:
  RSS
  SecurityFilters
  TCPA
  TCPChimney
  -Disable Chimney Offload via Netsh command
  -Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
  -Switching to an E1000 NIC and disabling all offload options and rebooting
  -Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
  -Run a wireshark trace - cannot see anything useful
  -Checked oackley log  - cannot see anything useful
  I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
  I would really appreciate if anyone has any suggestions?
  Many Thanks
  Steven

  Hi,
  Glad to hear that. I'll mark it as answer. Thank you.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• NTLM Authentication in the Outlook Anywhere

  I use Exchange Server 2007 sp1 RollUp 6 installed on Windows Server 2008. I need to use Outlook Anywhere from non-domain computers. I test Outlook Anywhere with Basic and NTLM Authentication and all works fine. But when I use NTLM authentucation, Outlook promt user credential every time when it start, even "remember password" was checked. The login and password are remembered in the network password of user, but Outlook prompt password again and again, when it starts. Exchange published by 443 port directly (without any listeners)!
  When I connect by VPN, and use TCP/IP connection to the server, Outlook remeber password withoun any problems, and did not ask password again.
  get-OutlookAnywhere:
  ServerName                 : SRVEXCH2
  SSLOffloading              : False
  ExternalHostname           : mail.my_domain.ru
  ClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods   : {Ntlm}
  MetabasePath               : IIS://srvexch2.net.local/W3SVC/1/ROOT/Rpc
  Path                       : C:\Windows\System32\RpcProxy
  Server                     : SRVEXCH2
  AdminDisplayName           :
  ExchangeVersion            : 0.1 (8.0.535.0)
  Name                       : srvexch2
  DistinguishedName          : CN=srvexch2,CN=HTTP,CN=Protocols,CN=SRVEXCH2,CN=Servers,CN=Exchange Administrative Group (
                               FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=S
                               ervices,CN=Configuration,DC=net,DC=local
  Identity                   : SRVEXCH2\srvexch2
  Guid                       : 2c24f11b-852c-4948-b236-3f37d071d500
  ObjectCategory             : net.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                : 18.02.2009 14:17:55
  WhenCreated                : 17.02.2009 14:53:36
  OriginatingServer          : dc1.net.local
  IsValid                    : True
  I have tried this cases, but they have not helped for this issue:
  1) Disable kernel mode authentication with this command: %systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false, I  also have unchecked Kernel mode authentication in the properties of Windows Authentication for Default Web site, \Rpc and \Autodiscovery virtual directories.
  2) Modify this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa lmcompatibilitylevel=3 and 2.
  3) Set NTLM instead of Kerberos on the security tab in the properties of Outlook.
  4) Install domain controller and global catalog roles on the Exchange Server.
  Somebody have any solution for this issue? May be Outlook Anywhere and NTLM do not work at all?

  Have you also seen this:
  You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature
  http://support.microsoft.com/kb/820281
  1.
  Click
  Start,
  click Run,
  type regedit in the Open
  box, and then press ENTER.
  2.
  Locate
  and then click the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
  3.
  In
  the right pane, double-click lmcompatibilitylevel.
  4.
  In
  the Value data
  box, type a value of 2 or 3 that is appropriate for your environment, and
  then click OK.
  5.
  Quit
  Registry Editor.
  6.
  Restart
  your computer.
  LmCompatibilityLevel
  settings
  The
  LmCompatibilityLevel registry entry can be configured with the following
  values:
  LmCompatibilityLevel
  value of 0:
  Send LAN Manager (LM) response and NTLM response; never use NTLM version 2
  (NTLMv2) session security. Clients use LM and NTLM authentication, and
  never use NTLMv2 session security; domain controllers accept LM, NTLM, and
  NTLMv2 authentication.
  LmCompatibilityLevel
  value of 1:
  Use NTLMv2 session security, if negotiated. Clients use LM and NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers accept LM, NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 2:
  Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 3:
  Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2
  session security if the server supports it; domain controllers accept LM,
  NTLM, and NTLMv2 authentication.
  LmCompatibilityLevel
  value of 4:
  (Server Only) - Domain controllers refuse LM responses. Clients use NTLM
  authentication, and use NTLMv2 session security if the server supports it;
  domain controllers refuse LM authentication, and accept NTLM and NTLMv2
  authentication.
  LmCompatibilityLevel
  value of 5:
  (Server Only) - Domain controllers refuse LM and NTLM responses, and accept
  only NTLMv2 responses. Clients use NTLMv2 authentication, use NTLMv2
  session security if the server supports it; domain controllers refuse NTLM
  and LM authentication, and accept only NTLMv2 authentication.
  Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator

• Exchange 2007 to 2013 Migration Outlook Anywhere keeps asking password

  Hi all, 
  i'm migrating an Exchange 2007 Server with all roles installed on a Windows Server 2008 R2 to 2 Exchange 2013 SP1 Servers (1 Cas and 1 Mailbox) installed on Windows Server 2012 R2.
  I installed Exchange 2007 SP3 RU13 for coexistance and everything was ok until i switched to the new 2013 CAS. 
  After that the client using Outlook Anywhere started asking for password. 
  I configured the Outlook Anywhere with these settings:
  Exchange 2007:
  OA Hostname mail.domain.com
  Client Authentication NTLM
  IISAuthenticathion Basic, NTLM
  SSL Required True
  Exchange 2013
  OA Hostname mail.domain.com
  Client Authentication NTLM (Both internal and external)
  IISAuthentication Basic, NTLM
  SSL Required True (both internal and external)
  Before switching to 2013 Cas everything works smoothly and the Outlook clients receive NTLM as HTTP Proxy authentication.
  After switching to 2013 Cas, test users migrated on 2013 Mailbox Server are ok, but Outlook users on Exchange 2007 Server get Basic as HTTP Proxy authentication and continue asking for credentials. 
  In the Exchange 2007 server i configured the host file to resolve servername and servername.domain.local with the ipv4 address to avoid issues regarding IPv6 with OA in Exchange 2007. 
  Using Microsoft Connectivity Test i receive the error "RPC Proxy can't be pinged - The remote server returned an error:
  (500) Internal Server Error"
  Any Ideas?
  Thanks for your Help

  Run this and post the result
  https://testconnectivity.microsoft.com/
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Outlook Anywhere External Hostname

  Good dayI am busy doing a few tests in my Lab environment with regards to Exchange 2010 Outlook anywhere.Do any of you know if it possible to setup Outlook anywhere with an external hostname that differs from what the CAS hostname is?Taking into account that you have configured all the rest of the requirements for Outlook anywhere such as setting up the SAN certificate with all the correct FQDNs, setting up DNS etc.I have also configured the OutlookProvider (Set-OutlookProvider -Identity EXPR..) with the FQDN that I want to use for Outlook anywhere.What I have found is that when I configure my Outlook client to use this new proxy address instead of the CAS hostname it prompts for a password and does not accept the password that is given. I can see in Outlook clients connection status that it is indeed trying to connect to my Outlook...
  This topic first appeared in the Spiceworks Community

  Hi,
  According to your description, you have minimized the certificate names before you set the internal and external host names of Outlook Anywhere and other services' URLs. If I misunderstand your meaning, please feel free to let me know.
  If yes, As Martina said, I recommend you set all URLs and internal and external OA host names with the name mail.company.com. Then we can confirm the internal DNS record about the name. To test Autodisocver, we can directly access its URL which is set in
  the property AutodiscoverServiceInternalURI.
  Additionally, based on my research, for the error when you run the New-TestCasConnectivityUser.ps1 script, you can opened the script in notepad and found the line beginning “new-mailbox” – and deleted the parameter “–OrgainisationalUnit:$OrganistationalUnit”:
  http://www.definit.co.uk/2011/03/exchange-2010-createtestuser-mailbox-could-not-be-created-verify-that-ou-users-exists-and-that-password-meets-complexity-requirements/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks,
  Angela Shi
  TechNet Community Support

• Allow changing of Outlook anywhere options after applying GPO

  Policy
  Setting
  Configure Outlook Anywhere user interface options       
  Enabled
  All config UI enabled
  I have used the outlook2010 GPO template to configure outlook anywhere settings. However after enabling these options, the user can no longer change the outlook anywhere settings (all greyed out). So I enabled the above GPO in outlook 2010 ADMX template.
  "This policy setting allows you to determine whether users can view and change user interface (UI) options for Outlook Anywhere.If you enable this policy setting, users can view and change UI options for Outlook Anywhere.If you disable or do not configure
  this policy setting, users will be able to use the Outlook Anywhere feature, but they will not be able to view or change UI options for it."
  However after performing gpupdate, it has no effect, users still cannot change any of the outlook anywhere settings. Here are the download locations for the admx templates if anyone else would like to test and confirm this issue.
  http://www.microsoft.com/en-us/download/details.aspx?id=18968
  http://support.microsoft.com/kb/2426686
  Anand_N

  Hi,
  Please check if the value of the following registry key has been set correctly by Group Policy:
  HKEY_CURRENT_USER\Software\Policies\Microsoft\office\14.0\outlook\rpc
  Value name: EnableRPCTunnelingUI
  Type: REG_DWORD
  To enable all configuration the value should be: 1
  Sincerely
  Rex Zhang
  Rex Zhang
  TechNet Community Support

• Autodiscover not setting outlook anywhere accordingly

  We have installed 2013 Mailbox and CAS Server on separate boxes into our 2010 environment.  We have migrated a few users and it seems autodiscover does not configure Outlook anywhere on the Outlook 2010 client.  If we configure this manually the
  user can connect and view mail.  Outlook web access is fine, certificates appear to be working as we can manually configure Outlook and it is ready mail very well.  We are running Exchange 2013 CU3, and have installed the certificate on the CAS. 
  the autodiscover dns entry has been changed to point to the 2013 CAS.
  Is this a common problem and what can we try to do to resolve this issue ?
  I've read a few different posts and looked at authentication of virtual folders (still default setup), certificates (added new certificate from company CA).  Any ideas ? 

  Hi CompGuy2012,
  To troubleshoot the autodiscover issue, I suggest we refer to the test email auto-configuration:
  [Check AutoConfiguration Status in Outlook]
  ===================================
  a. While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray and then select “Test Email Autoconfiguration”.
  b. Confirm that your email address is in the address field, uncheck “Use
  Guessmart” and “secure Guessmart
  authentication” boxes. Then click the “Test” button.
  c. Once it runs, Check the Log tab andResults
  tab.
  Let us know the detailed error message.
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Autodiscover and outlook anywhere for multiple domains

  Hello
   I have exchange 2010 SP3 environment  which is currently in production. We have multiple domain names added to accepted domain and it’s working fine.
  I have two different public IP Address for MX (SMTP ) and OWA.
  following DNS records are created with ISP DNS Servers. Below find the example.
  MX Records
  Smtp.abc.com (10.1.202.10) (SMTP /MX)
  Smtp.zxc.com  (10.1.202.10) (SMTP /MX)- new domain
  Smtp.qwe.com  (10.1.202.10) (SMTP /MX) - new domain
  OWA and Autodiscover
  Mail.abc.com (10.1.202.2) (owa)
  Autodiscover.abc.com (10.1.202.2)
  Currently outlook anywhere and  outlook autodiscover  working for (mail.abc.com) domain without having any issues. All the other domain are failing errors when I’m testing the Remote connectivity Analyzer. When I’m trying configure the outlook
  profile it’s not resolving the domain name.
  OWA working for domain they also using the same url to access the OWA (https://Mail.abc.com/owa)
  Any idea how to resolve this issue.
  Aucsna

  Hi,
  Agree with Ed, generally, all names autodicover.SMTPAddressSuffix should be added in the certificate and Public DNS entries.
  Alternatively, you can refer to the following article to simplify the namespace in certificate:
  http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-autodiscover-large-numbers-accepted-domains-part1.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks,
  Angela Shi
  TechNet Community Support

• How to force Outlook's Junk email fitler to not filter Exchange 2010 SP1 accepted domains?

  Hello,
  I wonder if there really is no way how to reach the result described in the title question. Because
  http://support.microsoft.com/kb/2458522 says:
  This issue occurs because of a functionality change that is introduced in Exchange Server 2010 SP1. In Exchange Server 2010 SP1, domains that are configured as accepted domains are no longer allowed in the junk email lists of a mailbox.
  So please tell us Microsoft how can we force Outlook to accept internal domain as a trusted senders and not apply Junk email filter on it?
  There was already a long discussion about the steps here
  http://social.technet.microsoft.com/Forums/en-US/outlook/thread/15f857c6-0ed4-4004-9d90-cb5d16361752 so please don't offer anything described there.
  Thank you,

  Trying to deal with the Outlook Junk Email Filter is not very easy and had been a pain in the butt.
  The ONLY way to ensure the Outlook 2010 Junk Email filter honors "white listed" emails is to stamp the email with SCL -1. Setting a transport rule will do that but it is not very flexible. 
  I was able to resolve these issues by simply enabling the Exchange 2010 Anti-Spam agents on each hub transport server. We have no Edge Server but we use a couple of Ironports at the gateway which provide the bulk of AntiSpam. We didn't think we would
  need the Exchange AntiSpam so we hadn't initially enabled. After months of trying to resolve people's complaints of emails from internal system ending up in Junk, this solution worked for us.
  This is the order in which it was done.
  1. We set the receive connectors for the internal systems for bypassing Anti Spam. We basically have 2 receive connectors, one for internal system with no relay, and one for internal systems who are allowed external relay.
  Get-ReceiveConnector "server\name of the recieve connector" | Add-ADPermission -User "“NT Authority\Anonymous Logon”  -AccessRights ExtendedRight
  -ExtendedRights ms-exch-bypass-anti-spam
  Note: If you use SMTP Authentication, Exchange will only mark the emails as "Internal" and not assign a SCL of -1. It can only be on anonymous connections.
  Note: We have a separate receive connector for the Ironports delivering external email that will not bypass Anti-Spam. These emails will receive a SCL rating of 0-9
  2. We set the global SCL to 6 (default is 4). You can set it to whatever you want.
  Set-OrganizationConfig -SCLJunkThreshold 6
  So basically, any email tagged with SCL 7-9 will be moved to Junk by Exchange.
  3. Set-ContentFilterConfig -SCLQuarantineEnabled $False -SCLDeleteEnabled $False -SCLRejectEnabled $False
  We don't want delete, reject or quarantine anything on Exchange. Just move email to Junk folder if SCL 7-9 and have user deal with it.
  4. Set the Internal SMTP Servers by adding each Exchange server's IP Address to the Global Transport Settings. I used EMC, Organization Config, Global Settings, Transport Settings properties, Message Delivery tab. Do NOT add any other "internal" servers
  here, only the Exchange servers.
  5. Then we installed the AS agents on each HT Server.
  Starting with the first server
  Stop MSExchange Transport service
  D:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\install-AntispamAgents.ps1
  After installation, disable all the agents except for Content Filtering Agent. This agent has to be enabled for Exchange to stamp the email with SCL -1. I used EMC, Organization Config, Hub Transport. You will see a new tab called Anti-Spam. Disable everything
  except Content Filtering.
  Start MSExchange Transport service.
  Repeat on each HT server. (You won't have to repeat the disabling of the agents as that is a global setting)
  6. You can add global safe senders by doing the following.
  $list = (Get-ContentFilterConfig).BypassedSenders
  $list
  $list.add("[email protected]")
  $list.add("[email protected]")
  Set-ContentFilterConfig -BypassedSenders $list
  The message headers are stamped with
  For emails sent through the Internal connector
  X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
  X-MS-Exchange-Organization-SCL: -1
  OR
  For external emails from a safe sender
  X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
  X-MS-Exchange-Organization-SCL: -1
  OR
  For all other external emails
  X-MS-Exchange-Organization-SCL: 0
  Good Luck. This has basically stopped all the calls about "legitimate" email in Junk Email folder.