Thursday, May 15, 2008

Exchange - Genie

Configuring Outlook Anywhere for Exchange 2007 SP1

By: Brian Trich

Updated April 22, 2008
Exchange 2007 has rebranded rpc/https which is now called Outlook Anywhere and has even made some slight modification from RTM to Exchange 2007 SP1. +
http://msexchangeteam.com/archive/2007/11/08/447484.aspx

When utlizing Outlook 2007 the autodiscover service is heavily tied into Outlook anywhere functionality, I am going to reference a previous posting that explains those functions in detail.
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

With Exchange 2007 in order to allow clients remote access to the mail system you will need to install an Exchange 2007 CAS server which will allow clients to access thier mail via Imap,Pop,OWA,Active Sync, and Rpc/https (outlook anywhere).

For this article I am going to skip the installation of each server role and just work with the configuration. The lab consists of 1 DC, 1 CAS/Hub and 1 MBX server running Windows 2003 and Exchange 2007 SP1.


http://bp1.blogger.com/_jG-efUpJ7Oc/R-rtPie74OI/AAAAAAAAAr8/pgCGZ3anNmo/s320/rpc_proxy.jpg



Rpc/http was first introduced with Exchange 2003 and has been renamed with Exchange 2007 to Outlook Anywhere. In order to use this functionality with Exchange we must install the RPC over HTTP Proxy networking component on a server (recommened on your Exchange server).

What does this network componet do for us?
RpcProxy.dll is an Internet Server API (ISAPI) that runs in Internet Information Services (IIS). RpcProxy.dll listens for activity on the RPC virtual directory

The rpcproxy.dll requires authentication and will not pass anonymous request even if IIS is configured for anonymous authentication.

When an Outlook clients typicaly communicates with an Exchange server the client attempts to connect via Mapi Rpc, with Rpc/http Outlook makes a http connection to the rpc proxy server which strips the http and send the rpc request to tha appropriate Exchange server.

Installing Rpc/http networking componet:
1. From the Add/Remove programs select Windows components
2. Select Networking Services then details
http://bp1.blogger.com/_jG-efUpJ7Oc/R89CLJxkTVI/AAAAAAAAAqk/QN7m9Zo9KrI/s320/i1.jpg
3. Select Rpc over http proxy -> OK
http://bp2.blogger.com/_jG-efUpJ7Oc/R89CSZxkTWI/AAAAAAAAAqs/NGjo8FIjkqA/s320/i2.jpg
4. Click Next to start the installation
5. Click Finish to complete the installation

How do we verify the installation?
1. Validate you have 2 virtual directories installed called RPC and RPC with Cert
The 2 new virtual directories points to C:\WINDOWS\System32\RpcProxy which is the location of the rpcproxy.dll
http://bp3.blogger.com/_jG-efUpJ7Oc/R89CbpxkTXI/AAAAAAAAAq0/EJFYBsu1sZg/s320/v1.jpghttp://bp2.blogger.com/_jG-efUpJ7Oc/R89CjZxkTYI/AAAAAAAAAq8/50XPAuSMnbQ/s320/v2.jpg
2. Verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)
http://bp0.blogger.com/_jG-efUpJ7Oc/R89Ct5xkTZI/AAAAAAAAArE/uLa2PK4wfL0/s320/v3.jpg
Later we will look at a tool called rpc dump that can be used to troubleshoot connectivity problems.


After we have installed our CAS server we need to enable Outlook Anywhere which can be done in 1 of two ways, 1. EMS (command line) or 2. EMC (gui)

1. EMS
To work with Outlook anywhere via EMS we would use the the following set of commands Get-OutlookAnywhere,Set-OutlookAnywhere,Enable-OutlookAnywhere.

A. Open EMS
B. Now we will use the Enable-OutlookAnywhere command to enable this feature
--The following switches are available for the command
** Pre SP1
Enable-OutlookAnywhere -DefaultAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-Server ] [-TemplateInstance ] [-WhatIf []]
** Post SP1
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ] [-WhatIf []]

For this demo I used the following command
[PS] C:\>Enable-OutlookAnywhere -Server vmcashub -SSLOffloading:$false -ExternalHostname vmcashub.vn.local -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
http://bp3.blogger.com/_jG-efUpJ7Oc/R89C3pxkTaI/AAAAAAAAArM/h_ycvdAmSk0/s320/ems-en1.jpg
*Note if you use the defaultauthenticationmethod is will override the clientauth and IISAuth **
*Setting the ClientAuthMethod is what autodiscover will user to configure the client*

Enable-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124993%28EXCHG.80%29.aspx

We can ouse the Get-OutlookAnywhere command to view our configuration
Get-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124263%28EXCHG.80%29.aspx

Once we have enable Outlook Anywhere any future modification will be done with the Set-OutlookAnywhere command (i.e. changing authentication)
Set-OutlookAnywhere http://technet.microsoft.com/en-us/library/bb123545%28EXCHG.80%29.aspx

2. EMC
a. Open EMC --> Server configuration --> client Access Server
b. Select the CAS server you want to enable
c. Click the button to Enable Outlook Anywhere
http://bp3.blogger.com/_jG-efUpJ7Oc/R89DCpxkTbI/AAAAAAAAArU/HIeUkJzdsNU/s320/emc1.jpg
d. Enter the External name that clients will use to connect to your Exchange Server, note this name should match the name on your certificate. Select the authentication method of choice
http://bp2.blogger.com/_jG-efUpJ7Oc/R9QO5xXdgOI/AAAAAAAAAr0/HlcPDdBPjm8/s320/emcbasic.jpg
e. On the Completion Wizard Click finish
http://bp3.blogger.com/_jG-efUpJ7Oc/R89DMpxkTcI/AAAAAAAAArc/dWOx6fdj64k/s320/emc2.jpg
As you saw there is very little configuration when enabling Outlook Anywhere we have 3 options
1. Url 2. authentication and 3. Enable SSL offloading

Once we have Enabled Outlook Anywhere we can validate the registry key has configured correct ports for communication to our mailbox servers. Note only the name listed in the key can be used by clients to connect and you will notice there is no IP address listed so testing via IP will fail through the rpc proxy.

1. Click start Run
2. Regedit - this will open the registry editor
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
4. Notice the Dword called Enabled set to 1
5. There is a String value called "ValidPorts"
VMMBX1:6001-6002;VMMBX1:6004;vmmbx1.vm.local:6001-6002;vmmbx1.vm.local:6004

http://bp2.blogger.com/_jG-efUpJ7Oc/R89ECZxkTeI/AAAAAAAAArs/wb3cNAYe1B4/s320/regedit.jpg
**Note if the port are not listed it could take up to 15 minutes to update or you can restart the Microsoft Exchange Service Host **
we can see that the rpc proxy connects to our mailbox server on the following port 6001-6002 and 6004. Each port is defined below

Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004

In our client testing we can validate the proxy making connections to our mailbox server with these ports.


Configure a client:
Manually
1. Create a New profile
2. check the manually configure box at the bottom
http://bp2.blogger.com/_jG-efUpJ7Oc/R_P_pie74aI/AAAAAAAAAtc/vH8spJSnI4Y/s320/1.jpg

3. Select Microsoft Exchange

http://bp1.blogger.com/_jG-efUpJ7Oc/R_QAjCe74gI/AAAAAAAAAuM/ARQR8bKh4tc/s320/2.jpg

4. Input your mailbox server name (this could be FQDN or Netbios Name)

http://bp2.blogger.com/_jG-efUpJ7Oc/R_P_3ie74cI/AAAAAAAAAts/CArh6sN5Cg4/s320/3.jpg

5. Click the "More settings" button

6. Select the connections tab

http://bp0.blogger.com/_jG-efUpJ7Oc/R_P_9Ce74dI/AAAAAAAAAt0/eNB16QqMxus/s320/4.jpg

7. Check the box "Connect to Microsoft Exchange using HTTP" -> Exchange Proxy Settings

http://bp0.blogger.com/_jG-efUpJ7Oc/R_QACye74eI/AAAAAAAAAt8/bdgdT67bgwo/s320/5.jpg

8. Input the url of your Outlook Anywhere server, check the appropriate authentication

http://bp0.blogger.com/_jG-efUpJ7Oc/R_QAIye74fI/AAAAAAAAAuE/og08TSWezak/s320/6.jpg

9. Click OK and finish the profile

2. Autodiscover
** if autodiscover is not working please refer to my blog on autodiscover **
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

1. Click Add
http://bp3.blogger.com/_jG-efUpJ7Oc/R_jQ9ie74hI/AAAAAAAAAuU/Mi1yoHsV5zg/s320/1.jpg

2. Give a name for the profile
http://bp0.blogger.com/_jG-efUpJ7Oc/R_jRGye74iI/AAAAAAAAAuc/uj4e4qb_eQU/s320/2.jpg

3. Input the display name and users email address and password
**Note a domain logged on user will auto populate the information**
http://bp1.blogger.com/_jG-efUpJ7Oc/R_jRSCe74jI/AAAAAAAAAuk/asfDJdzASvc/s320/3.jpg

5. Logon to your mailbox
http://bp3.blogger.com/_jG-efUpJ7Oc/R_jRvie74lI/AAAAAAAAAu0/V8ygUbxOlFI/s320/4.jpg

6. Click Finish
http://bp2.blogger.com/_jG-efUpJ7Oc/R_jRoSe74kI/AAAAAAAAAus/7jjkh84Oteo/s320/5.jpg
Validation:
That we have installed all the components we need to do some testing to validate we have access to our mail.


Check Outlook connection status:
1. Log onto Outlook
2. in the System tray hold the CTRL key and right click the Outlook icon
3. select connection status
http://bp3.blogger.com/_jG-efUpJ7Oc/R-xP8ie74PI/AAAAAAAAAsE/aIFKo3-uwEA/s320/stat1.jpg

You can see our connection shows https, which validates we are going through the CAS server and proxying our connection.

Netstat:
We can use netstat to show our connection for each hop Client-> CAS -> Mbx -> DC

Open a command windows on the CAS server and type netstat -na
http://bp2.blogger.com/_jG-efUpJ7Oc/R-xQ9Se74QI/AAAAAAAAAsM/MJwat6lksWM/s320/stat2.jpg

You can see from the screen shot above that our client 192.168.1.5 is making connections are port 443 to our CAS server 192.168.1.101

As noted in the connections window from Outlook you can see that the Outlook client makes multiple connections to the CAS server on port 443 and this is validated in the netstat

CAS -> MBX
On the mailbox server open a command window and type Netstat -na

The first item to note is our mailbox server listening on ports 6001,6002, and 6004 which is the ports used by rpc/http to make connections
http://bp2.blogger.com/_jG-efUpJ7Oc/R-xR7Se74SI/AAAAAAAAAsc/kpBIqHVQ5Z0/s320/MBXLISTEN.jpg

Below you can see our mbx server 192.168.1.102 receiving connections on port 6001 and 6004 from our CAS server 192.168.1.101
http://bp1.blogger.com/_jG-efUpJ7Oc/R-xRoCe74RI/AAAAAAAAAsU/MKANsRMaek4/s320/CAS2MBX600X.jpg

MBX -> DC
On our domain controller we can see Ldap 389 and GC 3268 ports with connections from both our CAS server and MBX server.
http://bp0.blogger.com/_jG-efUpJ7Oc/R-xSUye74TI/AAAAAAAAAsk/EYRz7idDQi8/s320/DC2CASANDMBX.jpg


Packet Captures:
We can use a tool like NetMon or WireShark to perform network captures on each hop as well to validate our traffic between each node. We must note this is encrypted traffic so we will only see sessions between the nodes

This capture is run on the XP client and we can see TLS communication between our client 192.168.1.5 and our CAS 192.168.1.101
http://bp2.blogger.com/_jG-efUpJ7Oc/R-xW1Se74VI/AAAAAAAAAs0/w9rEU_aTBwQ/s320/client-cas.jpg

This capture show communication from the CAS 192.168.101 to the mailbox server on port 6001/6004

See the highlighted section showing a destination port 6001 from the CAS to the MBX server
http://bp3.blogger.com/_jG-efUpJ7Oc/R-xZbie74YI/AAAAAAAAAtM/sryG_i7EffY/s320/cas-mbx1.jpg

See the highlighted section showing a destination port 6004 from the CAS to the MBX server
http://bp3.blogger.com/_jG-efUpJ7Oc/R-xZDie74XI/AAAAAAAAAtE/JNUA5cQxvcs/s320/6004.jpg


Mailbox Server -> DC/GC
Below we can see our mailbox server making connections to the DC Ldap port 389
http://bp2.blogger.com/_jG-efUpJ7Oc/R-xcGSe74ZI/AAAAAAAAAtU/BKXIRuUDU38/s320/ldap.jpg

RPCPing:

RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.

You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051

1. Open a command line to the resource kit directory

http://bp2.blogger.com/_jG-efUpJ7Oc/SA6HxRc9fdI/AAAAAAAAAvM/Yv-7YXmEZXU/s320/1.jpg

2. Lets connect to port 6001 =store

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P "brian.tirch,vm.local,*" -I "brian.tirch,vm.local,*" -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6001 -u 10 -a connect

http://bp1.blogger.com/_jG-efUpJ7Oc/SA6H9Bc9feI/AAAAAAAAAvU/ncMgmCljDno/s320/2.jpg

You can see we make a successful connection
http://bp2.blogger.com/_jG-efUpJ7Oc/SA6IIRc9ffI/AAAAAAAAAvc/zEH2D6FJ1kU/s320/3.jpg

3. Lets connect to port 6004 =DsProxy

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P "brian.tirch,vm.local,*" -I "brian.tirch,vm.local,*" -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6004 -u 10 -a connect

http://bp1.blogger.com/_jG-efUpJ7Oc/SA6IVBc9fgI/AAAAAAAAAvk/V2HbcNLt2TA/s320/4.jpg


You can see we make a successful connection
http://bp3.blogger.com/_jG-efUpJ7Oc/SA6Ihhc9fhI/AAAAAAAAAvs/FyjTE5F1QDI/s320/5.jpg

These tests show us that we are properly connecting through the rpc proxy server to the correct ports associated with Outlook Anywhere.

reference the above MS article for a break down of the switches.

PerfMon:
Windows 2008 has added some additional perf counters that we can use with Rpc/Proxy that can assist in identifying connectivity and user load.

http://bp3.blogger.com/_jG-efUpJ7Oc/R-xUzie74UI/AAAAAAAAAss/nZhg8lJoR3Q/s320/perf.jpg


common issues:
1. Certificates - If the client machine does not trust the certificate that is being presented it will fail to connect. So if you are using self signed or self issued certificates you will need to deploy them to each client machine

 

posted by Microsoft Tech Support and Consulting at 6:10 PM

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home