Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2009-05-08
This topic explains how to use the Exchange Management Console or the Exchange Management Shell in Microsoft Exchange Server 2007 to enable Outlook Anywhere for your organization.
Before You Begin
To enable Outlook Anywhere, follow these steps in order:
Install a valid Secure Sockets Layer (SSL) certificate from a trusted certification authority (CA) that the client trusts.
Install the Windows RPC over HTTP Proxy component.
Enable Outlook Anywhere on a computer that has the Exchange Server 2007 Client Access server role installed.
When you install Exchange 2007, you can install a default SSL certificate that is created by Exchange Setup. However, this certificate is not a valid SSL certificate that is trusted by the client. To use Outlook Anywhere, you must install an SSL certificate that is trusted by the client.
To perform this procedure, the account that you use must be delegated the following:
Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
To install the RPC over HTTP Windows Networking component in Windows Server 2003 or in earlier versions of Windows
Click Start, point to Settings, click Control Panel, and then double-click Add or Remove Programs.
Click Add/Remove Windows Components.
On the Windows Components page, select Networking Services in the Components window, and then click the Details button.
On the Networking Services page, select the check box next to RPC over HTTP Proxy in the Subcomponents of Networking Services window, and then click OK.
On the Windows Components page, click Next.
Click Finish to close the Windows Components Wizard.
To install the RPC over the HTTP Windows Networking component in Windows Server 2008
Click Start, and then click Control Panel.
Double-click Programs and Features.
Click Turn Windows features on or off. Server Manager opens.
In the left pane of Server Manager, click Features.
In the right pane, click Add Features.
In the Add Features Wizard, click to select the RPC over HTTP Proxy check box.
If the Add role services required for HTTP Proxy dialog box appears, click Add Required Role Services.
Read the information on the Web Server (IIS) page, and then click Next.
On the Select Role Services page, click Next.
On the Confirm Installation Selections page, click Install.
When the features are installed, click Close.
To use the Exchange Management Console to enable Outlook Anywhere
In the console tree, expand Server Configuration, and then click Client Access.
In the action pane, click Enable Outlook Anywhere.
In the Enable Outlook Anywhere Wizard, type the external host name for your organization in the box under External host name.
Select an available external authentication method. You can select Basic authentication or NTLM authentication.
If you are using an SSL accelerator and if you want to do SSL offloading, select the check box next to Allow secure channel (SSL) offloading.
Do not use this option unless you are sure that you have an SSL accelerator that can handle SSL offloading. If you do not have an SSL accelerator that can handle SSL offloading, and you select this option, Outlook Anywhere will not function correctly.
Click Enable to apply these settings and enable Outlook Anywhere.
Click Finish to close the Enable Outlook Anywhere Wizard.
To use the Exchange Management Shell to enable Outlook Anywhere on a computer that is running Exchange Server 2007
Run the following command:
enable-OutlookAnywhere -Server: -ExternalHostName: -ExternalAuthenticationMethod: Basic -SSLOffloading:$false
Running this cmdlet with the ExternalAuthenticationMethod and SSLOffloading parameters will enable Outlook Anywhere with Basic authentication and without SSL offloading.
To use the Exchange Management Shell to enable Outlook Anywhere on a computer that is running Exchange Server 2007 Service Pack 1 (SP1) or a later version
Run the following command:
enable-OutlookAnywhere -Server: -ExternalHostName: -ClientAuthenticationMethod:Basic -IISAuthenticationMethods -SSLOffloading:$false
For more information about the syntax and parameters that can be used together with the Enable-OutlookAnywhere cmdlet, see Enable-OutlookAnywhere.
When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on Client Access servers that are running Windows Server 2008 with versions of Exchange 2007 that are earlier than Exchange Server 2007 Update Rollup 8. This issue does not occur with the following versions of Exchange 2007:
Exchange Server 2007 Service Pack 1 (SP1) with Update Rollup 8
Exchange Server 2007 Service Pack 2 (SP2)
To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.
To disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008
At a command prompt, type the following command, and then press ENTER:
%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false
When you have the Outlook Anywhere feature configured on a Windows Server 2008-based computer that is running Terminal Services Gateway, you may experience the following symptoms:
If you enable Outlook Anywhere before you install Terminal Services Gateway, users cannot connect to their Exchange mailboxes by using RPC over HTTP.
If you enable Outlook Anywhere after you install Terminal Services Gateway, Outlook Anywhere users can connect to Exchange by using RPC over HTTP. However, after you open the TS Gateway Manager snap-in, Outlook Anywhere users can no longer connect to Exchange by using RPC over HTTP.
You experience this issue if NTLM authentication is disabled in Internet Information Services (IIS).
This issue occurs because Basic authentication is disabled when you install Terminal Services Gateway or when you open the TS Gateway Manager snap-in. Outlook Anywhere authentication supports Basic authentication and NTLM authentication. If NTLM authentication is also disabled, Outlook Anywhere cannot function correctly. For example, this problem occurs in Windows Small Business Server 2008 where NTLM authentication is disabled by default.
Outlook Anywhere and Terminal Services Gateway both rely on the RPC over HTTP protocol.
For more information about this issue and to obtain a hotfix to resolve this issue, see Microsoft Knowledge Base article 954034, The Exchange Server Outlook Anywhere feature does not work correctly if it is installed on a Windows Server 2008-based server that has Terminal Services Gateway installed.
For More Information
For more information about Outlook Anywhere, see the following topics:
Overview of Outlook Anywhere
Recommendations for Outlook Anywhere
Managing Outlook Anywhere
How to Install Exchange 2007 SP1 and SP2 Prerequisites on Windows Server 2008 or Windows Vista
How to Configure Authentication for Outlook Anywhere