Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-10-24

This topic provides recommendations for using Outlook Anywhere in your Exchange infrastructure.

We recommend that you use the following configuration when you use Microsoft Exchange with Outlook Anywhere:

Authentication Options for Outlook Anywhere in Exchange 2007 Service Pack 1 (SP1)

By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory was enabled for both Basic authentication and Integrated Windows authentication and could not be modified. Even if you were only using one authentication method, both authentication methods were always enabled for the /rpc virtual directory. This was determined to be a security vulnerability and in Exchange 2007 SP1, you can now select to use only one authentication method on the /rpc virtual directory. Although not recommended, you can also choose to allow both Basic and Integrated Windows authentication.

For new installations of Exchange 2007 SP1, by default, the authentication method on the /rpc virtual directory will be the same as the authentication method that you choose when you enable Outlook Anywhere by using the Enable Outlook Anywhere wizard. The default authentication method for Internet Information Services (IIS) can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication or both. As an alternative to using the Enable Outlook Anywhere wizard, the Enable-OutlookAnywhere cmdlet can be used to configure Outlook Anywhere.

Important:
After you upgrade from the RTM version of Exchange 2007 to Exchange 2007 SP1, we recommend that you manually specify a single authentication method by using the Set-OutlookAnywhere cmdlet.

Using Multiple Authentication Methods for Outlook Anywhere

If you deploy a firewall server that performs authentication delegation, you must change the authentication method on the /rpc virtual directory to a method different from the authentication method that is used by the client. For example, if you deploy a firewall server that performs authentication delegation, the firewall server authenticates to the Client Access server by using NTLM authentication. The client, however, uses Basic authentication. In this example, the firewall server is responsible for delegating the user’s authentication. This is why you configure the /rpc virtual directory in IIS to use NTLM authentication.

Although not recommended, in Exchange 2007 SP1 you can configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication. A common situation in which both authentication methods might be used is when additional services for RPC over HTTP are proxied to the same Client Access server that provides Outlook Anywhere access. In this example, each service requires both authentication methods. To configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication, run the following command:

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

Using Your Own Certification Authority

You can use the Certification Authority tool in Microsoft Windows to install your own certification authority. By default, applications and Web browsers do not trust your root certification authority when you install your own certification authority. When a user tries to connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user loses the connection to Microsoft Exchange. The user is not notified. The user loses the connection when one of the following conditions is true:

  • The client does not trust the certificate.

  • The certificate does not match the name to which the client tries to connect.

  • The certificate date is incorrect.

Therefore, you must make sure that the client computers trust the certification authority. Additionally, if you use your own certification authority, when you issue a certificate to your Client Access server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the Client Access server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully qualified domain name of the computer. For example, they cannot contain a name that resembles mycomputer.contoso.com.

For More Information

For more information about Outlook Anywhere, see the following topics: