ISA 2006 publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation

Similar Messages

• ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

  Hi
  I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
  The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
  However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.
  I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
  public certificates).
  I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
  Any advice would be appreciated.
  Steven

  Hi,
  Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
  In addition,
  While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
  Please also make sure that you have selected the
  External interface for the web listener to listen on.
  Besides, the link below would be helpful to you:
  OWA publishing using Kerberos Constrained Delegation
  method for authentication delegation
  Best regards,
  Susie

• Exchange 2010, Outlook Anywhere, Autodiscover, SAN Certs and ISA 2004

  Hi
  Everything I have read says that SAN certs do not work with ISA 2004.  However I have read through the "White Paper: Understanding the Exchange 2010 Autodiscover Service" document to understand my options (url below) and notice that the SAN
  cert option in the "Summary of supported scenarios for connecting to the Autodiscover service from the Internet" section implies that ISA 2004 may be able to work:
  "Requires additional configuration if used together with either ISA Server 2004 or ISA Server 2006"
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Does anyone know if there is a supported ISA 2004 scenario where SAN certs can work?
  Thanks!

  It's highly doubtful, since ISA 2004 has been in extended support for two years.  See
  http://blogs.technet.com/b/isablog/archive/2009/10/05/mainstream-support-ending-for-isa-server-2004-standard-edition-sp3.aspx for details about ISA 2004 support - it goes totally out of support next year.

• Exchange 2010 - Outlook Anywhere trying to connect to internal server name first before connecting to proxy server

  Hello,
  I have an Exchange 2010 question which I will post in the Exchange 2013 section since the Ask a question button in the legacy Exchange Servers section of technet takes me back to the part of Technet where I can only ask questions regarding Exchange 2013.
  If someone can point me to a part where I can place a question in an Exchange 2010 forum please let me know.
  We have Exchange 2010 setup with a CAS array listening to outlook.internaldomain.com
  We have TMG 2010 setup with a rule for Outlook Anywhere, the rule listens to mail.externaldomain.com and traffic that meets this rule is let through to outlook.internaldomain.com.
  When I fire up my laptop, which is connected to the internet, and start Outlook and let it configure my profile through autodiscover it sets it up correct and fills the Outlook profile with a servername stating outlook.internaldomain.com and a proxyserver
  to be used stating mail.externaldomain.com. After initial setup when my Outlook starts it almost immediatly prompts me for a username and a password so this is working fine.
  At the office we have an internal network segment where DHCP is servicing the connecting clients and giving them our internal DNS servers because they need connection to some other network segments which are not available to the internet. This network segment
  does not have access to our internal Exchange environment but has full access to the internet. Clients in this network segment do want to use Outlook so using Outlook Anywhere for them is the logical way to go. When I connect my laptop to this network segment
  I get handed an IP address and our internal DNS servers, when I start Outlook it takes about two minutes before a the credential prompt pops up and another 2 to 6 minutes after entering credentials before it says all folders are in sync. This is quite long
  and our clients find this unacceptable.
  I started testing what might be going on here and I have found that when I manually enter external DNS servers the Outlook password prompt will popup in seconds and all is working as expected so it seems Outlook is trying to connect to the internal servername
  when using our internal DNS servers (which can resolve outlook.internalnetwork.com) instead of directly going to the proxy server which is to be used for Outlook Anywhere.
  When I start a network monitor trace my thoughts are confirmed because when I am connected to the internal network segment OUTLOOK.EXE first tries to connect to outlook.internaldomain.com, it almost immediately gets a response stating that this route is
  inaccessible but OUTLOOK.EXE keeps on trying to connect untill some sort of time out is reached (somewhere around two minutes) after which it connects to mail.externaldomain.com and Outlook shows the credential prompt.
  So to round it up, when connected to DNS servers that can resolve the internal servername Outlook tries to connect to the internal servername in stead of the external name, Outlook does not reckognize the answer from the network that the internal route is
  not acessible (or it does but does nothing with this information).
  Has anybody experienced this behaviour in Outlook?
  Does anyone have a solution in where I can force Outlook to connect to it's proxyserver and disregard the internal servername?

  Thank you for your reply.
  The client computers that are experiencing the issues are not domain joined, the only reason I can think of why this is occurring is because the DNS servers are able to resolve the internal hostname of the server, but I would expect Outlook to always use
  the proxy server that has been set in the configuration of the Outlook profile. Or at least acknowledging the answer that the initially tried route is inaccessible and immediately continue to the proxy server.
  For setting the same hostname for internal and external use, we use different namespaces internally and externally, do you mean setting the external hostname on the CAS array for internal use ? Wouldn't that push all internal communication to the internet
  and to the outside interface of the TMG where the server is published with that hostname ?

• Exchange 2010+Outlook Anywhere+Windows XP not working together

  Hello,
  We have Exchange 2010 installed on Server 2008 R2. CAS/Hub/mailbox roles on same server. Outlook Anywhere is enabled and using a Go Daddy signed certificate for OWA. Now my problem is that Windows XP (w SP3) PC's that are not located inside domain and
  shoud use Outlook Anywhere cannot connect to that service. Outlook version is 2007 SP2. On the other hand, that same user can connect from a Windows 7 pc what is also located outside domain without problems. On XP pc windows keeps asking for password repeatedly,
  on W7 pc it asks it and accepts and logs the user in and connects it to his mailbox. I have read numerous posts about this kind of issue, put so far none of them helped me. The certificate is issued to mail.domainname.ee and autodiscover.domainname.ee. The
  internal name of the server is excha.domainname.ee, external name is mail.domainname.ee. Also I used the Set-OutlookProvider cmdlet to set EXPR to msstd:mail.domainname.ee and also tried msstd:excha.domainname.ee this change did not have any effect on XP pc.
  What is wrong in XP and Outlook 2007 combination not being able to connect to Echange 2010?

  I was suffering from a very similar issue.  The one major difference for me is that I was using a wildcard ssl certificate for "*.contoso.com" which was not matching with the server name of owa.contoso.com.
  Behaviour definitely seemed to only manifest with Windows XP on the open internet (not domain joined or internal) trying to use either Outlook 2007 or 2010 to connect to our internal Exchange 2010 server via RPC over HTTPS.  Autodiscover was successful
  but user would be repeatedly prompted for their credentials but they would never match.
  The key changes that seemed to fix this for us were to make these updates -
  Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com
  alternatively if you dont care whether the proxy server name exactly matches your ssl cert you can do this (not recommended) -
  Set-OutlookProvider EXPR -CertPrincipalName none
  These commands manipulate the Microsoft Exchange Proxy Settings under the Outlook Anywhere options under the connection tab of your mail profile.  In particular the field labeled "Only connect to proxy servers that have this principal name in their
  certificate"
  Also, to force RPC over HTTPS and never try and timeout on TCP/IP connection (which cannot work through the firewall) -
  Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect
  This should click the checkbox for "On fast networks, connect using HTTP first, then connect using TCP/IP"
  This should then allow autoconfigure to work fine when setting up your mail profile.  If you want to check the settings page you should have something that looks like this -
  Finally, please note that Autodiscover settings are updated periodically not instantly. I believe it is something like every 15m or so.  As such, make the changes above and then wait for at least 15-30mins before making any other changes. 
  I ended up chasing my tail and then some complete red-herring *seemed* to fix the problem.  It was actually something that I had changed 20mins before!

• Exchange 2010 Outlook Anywhere issues

  I have an Exchange 2010 cas server that works fine with OWA internally and over the internet, and Outlook Anywhere works fine internally. When I try to access it outside the office though, the authentication prompt just keeps coming up for any user I try
  it on. I have used the connectivity analyzer, and it gives me what I've pasted below. I have disabled OA and uninstalled the RPC, rebooted and installed again and set it back up, with no luck. I've also tried both NTLM and Basic setups on the server side,
  and they both give the same error from outside the office. I also have checked my firewall settings, and everything is good. The only thing I can think of is that my reverse proxy is causing an issue. We have RHEL 5 with apache doing reverse proxy. Everything
  else works though, so I'm not sure why OA wouldn't?
  RPC Proxy can't be pinged.
  Additional Details
  An unexpected network-level exception was encountered. Exception details:
  Message: The remote server returned an error: (501) Not Implemented.
  Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
  Stack trace:
     at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
     at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
  Exception details:
  Message: The remote server returned an error: (501) Not Implemented.
  Type: System.Net.WebException
  Stack trace:
     at System.Net.HttpWebRequest.GetResponse()
     at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
     at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
  Elapsed Time: 198 ms.

  Hello
  501 is an internal server error.
  Please browse RPC virtual directory from outside, and see if you are getting a default response - Which should be a blank page.
  If you are not getting a blank page, then you need to troubleshoot that first - May be re-install RPC over HTTP.
  Let me know if you need any help
  AkashG || For any further queries, please mark an email to [email protected] ||

• Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010

  Hello guys,
  I have published Exchange 2013 via TMG 2010 with pre-authentication. Since this is the first time I am doing it- I want to ask experts for the explanations:).
  When I configure Active Sync on mobile, I just type the password and  it's starts syncing after 20 sec.
  When I use browser and trying to login using TMG logon screen, after I enter credentials (if they were not wrong), I get exchange 2013 logon screen ( because my password was checked by DC's).
  I have customized TMG tamplate to Exchange 2013 tamplate, but it did not help- I have two logon screens.
  Is it possible to configure TMG for showing only one logon screen ( without disabling pre-authentication) ? Does it work this way?
  Did I miss something?

  Hi,
  Please try to enable FBA for external and internal OWA 2010 users by the methods in the blog below.
   There are several ways to accomplish this:
  Have internal users pointed to the internal interface of the Forefront TMG and utilize the forms-based authentication logon page offered by Forefront TMG. 
  Deploy Forefront UAG instead of Forefront TMG. Forefront UAG allows you to have FBA enabled on both the Exchange 2010 Client Access Servers and on the Forefront UAG solution itself. 
  Publish Exchange 2010 to the Internet using Forefront TMG but do not configure pre-authentication. This way the users need to go through the Forefront TMG solution, but will authenticate directly against the Exchange 2010 Client Access servers. 
  Configure an additional OWA and ECP virtual directory on the Exchange 2010 Client Access Servers.
  Reference:http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
  Then check the blog
  - Creating a custom Forefront TMG 2010 OWA FBA logon page
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Exchange 2010/Outlook 2010 Security Alert (...there is a problem with the site's security certificate.)

  I've been looking to resolve this issue for a while now and was hoping someone could help me understand my options.
  We have Exchange 2010 & Outlook 2010 in our environment. I've created a SSL cert for our ActiveSync from a reputable CA and unfortunately, as you may not be surprised, we are seeing an alert each time we open Outlook that states:
  "Security Alert; Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
  The name on the security certificate is invalid or does not match the name of the site."
  Of course my internal server name does not match my external server name. So the SSL I had created for use with OWA and ActiveSync is rejected by my internal Outlook clients.
  After doing some research I believe this is related to the Autodiscover service being configured with my internal server name and not my external name. 
  I've found some info about adding New-AutodiscoverVirtualDirectory and Set-ClientAccessServer commands and then found this article that might help.  (Configure
  Outlook Anywhere to Use Multiple SSL Certificates) but nothing is specific to my configuration and I'm concerned about what will happen to my existing configuration if this fails. 
  What happens when you run Set-ClientAccessServer? Does it retain and keep the old server config in place and add a new one or does it wipe it out? Will all of my devices need to be reconfigured?
  Same with New-AutodiscoverVirtualDirectory.  Does this simply add another virtual directory or is it going to overwrite my existing config?
  Then there is the question of whether or not any of this will actually address my issue at all.
  absolutezero273c

  Sorry.
  "[PS] C:\Windows\system32>Set-ClientAccessServer -Identity MailExt -AutoDiscoverServiceInternalUri "https://MailExt
  .contoso.com/autodiscover/autodiscover.xml"
  The operation couldn't be performed because object 'MailExt' couldn't be found on 'DomainController2.contoso.local'.
      + CategoryInfo          : NotSpecified: (0:Int32) [Set-ClientAccessServer], ManagementObjectNotFoundException
      + FullyQualifiedErrorId : 4D980455,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer"...is the error I get.
  I've created the split zones and populated the Forward Lookup Zones as follows:
  CONTOSO.COM
  MailExt(CNAME)MailInt.contoso.local
  _tcp _autodiscover(SRV)MailExt.contoso.com
  CONTOSO.LOCAL
  MailInt(A)192.168.1.10
  MailExt(CNAME)MailInt.contoso.com
  One thing I did notice is that there isn't a _tcp _autodiscover entry for MailInt in my Forward Lookup Zones.  It was recommended that I make that entry for _tcp _autodiscover(SRV)MailExt.contoso.com in another post I read somewhere.
  I believe what I am trying to do is create a new autodiscover object as is shown here:
  I see there is a Get-ClientAccessServer & Set-ClientAccessServer command but I need to add a CAS. Does the Set-ClientAccessServer add or simply modify?
  Or would that require the New-AutodiscoverVirtualDirectory command? I read
  this page that discussed creating new virtual directories but that seemed a little risky without knowing all the ins and outs of how this service functions and to what degree this would affect the existing configuration.
  I was able to use the Set-ClientAccessServer command and change the actual internal autodiscoverUri to https://MailExt.contoso.com/autodiscover/autodiscover.xml but the name still says MailInt and I continue to get the SSL cert warnings because it is looking
  at MailInt.contoso.local.
  absolutezero273c

• Adressbook hang Exchange 2010 - Outlook 2010,2013

  Hi Forum
  we have Exchange 2010 and Clients with Office 2010, 2013
  on all client we can't use adressbook, when we open it and change the adresslists
  Outlook hang
  i think the problem is since Exchange Rollup 8 v2

  Hi,
  Please confirm if the issue occurs when using Global Address List in OWA.
  In server side, please restart Microsoft Exchange File Distribution service and check whether the OAB folder in the following path is the latest date in Exchange sever:
  a. OAB generated in Mailbox:
  \\Program Files\Microsoft\Exchange Server\ ExchangeOAB
  b. OAB distribution in Client Access:
  \\Program Files\Microsoft\Exchange Server\ClientAccess\OAB
  In Outlook client, please download Address Book manually in Outlook by the following setps:
  In the ribbon click Send / Receive, click
  Send/Receive Groups and then click Download Address Book.
  Then check whether there is any error when download it.
  Regards,
  Winnie Liang
  TechNet Community Support

• Exchange 2010 & Outlook 2010 - Cached Mode "okay" work well for you?

  Hi All,
  On our Client Laptops/PCs we disabled cache mode a long time due to issues experienced with a combination Delegates and Cached Mode occasionally affecting Calendaring.  We'd end up with vanishing appointments, etc.
  What I'd like to know from you is if you've had a positive experience with Exchange 2010 & Outlook 2010 32bit.  If you could impart any gotchas, etc.  Our environment is fairly vanilla with a total of 1500 Users.
  Thank you very much for your time,
  Mr Mister

  Hi,
  I am using myself outlook 2007 over than WAN (VPN) connection with Exchange 2010 SP2 with about 3 GB mailbox and i personally have not faced any issues. Also, we have about 600 usres with more than 2 GB mailboxes using Outlook 2010 in online mode and
  there are not many issues other than email with rich text format with screen shots attached in the mail body causing outlook hang. if we use the same email in html then no issues.
  It all depends on the sizing of your CAS and mailbox servers and also on the NIC speed configured on the server. I personally feel that we should have NIC card set to 1GB on the servers also the backup and replication should be on seperate dedicated LAN.

• "Resend" option is not working for specific user. "The Operation Failed" Exchange 2010 Outlook 2013

  Hi Everybody. I have a weird one for you.
  I have a user that gets an "operation failed" message whenever trying to use the "resend" option on any email (It's the one right under recall). I had tested up and down on her machine. Exchange 2010 Outlook 2013
  Ran in safe mode, recreated her profile, disabled virus scanning, repaired office. (weird, the font just changed sizes on me)
  After all of this I tested on other computers, other users seem to be able to "resend" just fine. However her account does not work on any computer I try, internal or external to the network.
  It looks more like a profile issue.
  She's a very active archivist, so she only has 486MB of space used by her mailbox.
  It's well under quota.
  It's been really puzzling me.
  MCSE 2003, Exchange. MCTS Vista, 7. Administrator of awful, neglected website http://timssims.net

  Hi Timssims,
  Since there is only one user in the org has this issue, it seems an issue on the Outlook client side.
  I suggest asking Outlook Forum for help so that we can get more professional suggestions.
  For your convenience:
  https://social.technet.microsoft.com/Forums/office/en-US/home?forum=outlook
  However I also have some suggestions for your reference:
  1. If this issue occur on Cached Mode, I suggest turning to Online Mode for testing.
  2. Please also paste the detailed error message if "operation failed" is not the
  complete information.
  3. If still not works after perform operations above (including suggestions from Outlook Forum), I suggest re-creating a new mailbox for the specific user just as Martin suggested.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Hello! How can i setup and what to enable that my secretary has my shared calendar on her Iphone and that she can edit it? We are on Exchange 2010, Outlook 2010, Iphone 4s. Can it be done through some app? Thank you!

  Hello! How can i setup and what to enable that my secretary has my shared calendar on her Iphone and that she can edit it? We are on Exchange 2010, Outlook 2010, Iphone 4s. Can it be done through some app? Thank you! I'm trying to avoid creating my exchange activesync account on her Iphone and then sync only my calendar.

  Thank you for your time. I'm trying to avoid that because she can then simply turn on mail syncronization and then she could read my mail. Another reason is our password policy, that enforces changing our windows logon password every 90 days. Of course changing windows logon passwords demands changing exchange account logon info (password) on Iphone. I have read somwhere that there was an app but it was removed from app store. Any other suggestions would be appreciated.

• Publishing CRM 2011 on Web Applicaiton Proxy Using Kerberos Constrained Delegation

  Hello,
  Couldn't find a sub category that seemed suitable for this discussion so I just dropped it in Windows Server 2012 General.
  So to summarize...
  Web Application Proxy (WAP) on 2012r2, ADFS on 2012r2, and CRM 2011 RU11 is on 2008r2.
  WAP has a pass through rule setup for the ADFS site and a preauth rule setup for the CRM site.  All SPNs and delegation are setup in AD.
  Setup is 1 WAP, 1 NIC, 1 ADFS server and 1 CRM server.
  I have successfully publish my CRM 2011 site on Web application proxy and am successfully doing Kerberos Constrained Delegation.  I am also doing Client certificate authentication on the ADFS server which works fine.  I am doing this over 49443
  just fine.
  Try to access the CRM site, WAP redirects me to ADFS as expect, Client certificate auth happens at the ADFS server,  I am redirected back to my CRM site with my authToken so pre authentication can happen successfully.  KCD ensues after just fine
  and i am reverse proxied back to the CRM site.
  Here in lies the problem though...
  When i am reversed proxied back to the CRM site, i receive the standard "An error has occurred Try this action again.... yada yada yada" message with the Try Again or Close button.  If i click try again, i am able to access the site with no
  problem and the solution works great!  This obviously is not acceptable though.
  The error URL looks like the following (changed it for obvious reasons)
  https://crmsite.contoso.com/ORG1/_common/error/errorhandler.aspx?BackUri=https%3a%2f%2fadfs.contoso.com%2fadfs%2fls%3fversion%3d1.0%26action%3dsignin%26realm%3durn%253AAppProxy%253Acom%26appRealm%3d63ce68f1-3de4-e411-9412-005056a67a8d%26returnUrl%3dhttps%253A%252F%252Fcrmsite.contoso.com%252F%26client-request-id%3d4A1A0958-76F3-0000-5D91-1C4AF376D001&ErrorCode=&Parm0=%0d%0a%0d%0aError%20Details%3a%20An%20unhandled%20exception%20occurred%20during%20the%20execution%20of%20the%20current%20web%20request.%20Please%20review%20the%20stack%20trace%20for%20more%20information%20about%20the%20error%20and%20where%20it%20originated%20in%20the%20code.&RequestUri=%2fdefault.aspx
  The error that correlates to this in CRM is
  Event code: 3005
  Event message: An unhandled exception has occurred.
  Little bit further down
  Exception information:
      Exception type: InvalidOperationException
      Exception message: CRM Parameter Filter - Invalid parameter 'AuthMethod=CertificateAuthentication' in Request.Form on page /default.aspx
  If anybody has any insight or experience publishing CRM on WAP using KCD and has run into this issue, help would be greatly appreciated.
  Also to head of this question, we can not do an IFD setup.  There is a custom developed solution which resides on top of the CRM installation that is not claims friendly.
  Thanks!
  Jonathan

  Hi,
  Please check if anyone of the links below is helpful:
  http://blogs.msdn.com/b/javaller/archive/2014/01/13/publishing-crm-internet-facing-deployment-using-web-application-proxy-and.aspx
  http://blogs.technet.com/b/dynamicspts/archive/2014/10/03/using-web-application-proxy-to-publish-dynamics-crm-2013-to-the-internet.aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Internal outlook client connectivity in exchange 2010 when coexist with exchange 2013

  Hi all ,
  on my side i would like to clarify few queries.
  Say for instance i am coexisting exchange 2010 with exchange 2013 .Unfortunately if all of my exchange 2013 servers goes down .
  Q1 .On that time will the internal outlook users having their mailboxes on exchange 2010 can be able to connect mailboxes without any issues ? In case if they face any issues what kind of issues will they be? Because why i am asking is we should have pointed
  the autodiscover service to exchange 2013 during coexistence.
  When an user closes and reopens the outlook after whole exchange 2013 environment failure ,outlook will first query the autodiscover service for the profile changes to get it updated on users outlook profile.In such case autodiscover service will not be
  reachable and i wanted to know will that affects the internal client connectivity for outlook users having their mailboxes on exchange 2010.
  Q2. Apart from outlook internal users connectivity ,what kind of exchange services(i.e owa,active sync,pop,external OA and imap) will get affected when whole exchange 2013 environment goes down during coexistence ?
  I have read the below mentioned statement on this awesome blog but still i wanted to clarify with you all on my scenario.
  http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx<o:p></o:p>
  Internal Outlook Connectivity
  For internal Outlook clients using RPC/TCP connectivity whose mailboxes exist on Exchange 2010, they will still connect to the Exchange 2010 RPC Client Access array endpoint.
  For internal Outlook clients using RPC/TCP connectivity whose mailboxes exist on Exchange 2007, they will still connect directly to the Exchange 2007 Mailbox server instance hosting the mailbox.
  Please share me your suggestions and that would help me a lot .
  Regards
  S.Nithyanandham

  Hi Winnie Liang ,
  Thanks a lot for your reply.
  Scenario  1 : for internal outlook connectivity 
  We have below settings for exchange 2010 autodiscover.
  mail.domain.com - will be the namespace for internal autodiscover URI for all the exchange 2010 cas serves
  We are going to have below settings for exchange 2013 autodiscover.
  mail.domain.com - will be the namespace for internal autodiscover URI for all the exchange 2013 cas serves
  During coexistence mail.domain.com will be pointed to exchange 2013 cas servers . I mean to say if we try to resolve the mail.domain.com it will get resolved in to the exchange 2013 cas servers.
  So on such case if anything happened wrong to the new environment or else if entire environment goes down .Do we face any issues while outlook users connect to existing mailboxes in exchange 2010 ?
  Because why i am asking is ,on the below mentioned article i have read all the autodiscover request will go via exchange 2013 cas servers during coexistence.That means all the existing mailboxes in exchange 2010 will also have to query exchange 2013 cas
  servers for autodiscover request.During the whole exchange 2013 environemnt failure whenever the user tries to close and open outlook .Outlook will first queries the autodiscover service for any changes happened on that particular mailbox and it will try to
  get it updated on user profile.
  http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx
  Would it be possible to make the exchange 2010 mailbox users to query only the scp points which belongs to the exchange 2010 cas servers for autodiscover request ?
  Scenario 2: For exchange services
  mail.domain.com - will be the namespace for all the exchange 2010 services (i.e owa,activesync,external outlook anywhere,pop,imap)
  mail.domain.com - will be the namespace for all the exchange 2013 services (i.e owa,activesync,external outlook anywhere,pop,imap)
  What about the above services will it get affected during whole exchange 2013 environment failure ?
  Note : We are not facing this issue , i hope everything goes well in my environment while doing coexistence i am just asking this question on my own interest?
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• Exchange 2013 - How to configure Outlook Anywhere with certificate based authentication?

  Hello,
  is it possible to secure Outlook Anywhere in Exchange 2013 with certficate based authentication?
  I found documentation to configure CBA for OWA and ActiveSync, but not for Outlook Anywhere.
  We would like to secure external access to the mailboxes via Outlook by using CBA.
  Thanks a lot in advance!
  Regards,
  André

  Hi,
  Let’s begin with the answer in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/e4b44ff0-4416-44e6-aa78-be4c1c03f433/twofactor-authentication-outlook-anywhere-2010?forum=exchange2010
  Based on my experience, Outlook client only has the following three authentication methods:Basic, NTML, Negotiate. And for more information about Security for Outlook Anywhere, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/bb430792(v=exchg.141).aspx
  If you have any question, please feel free to let me know.
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support