Exchange 2010 – Part 18 – Understanding and Managing Outlook Anywhere and POP/IMAP

In this post, we’ll look at two main parts to Outlook Anywhere and the POP/IMAP protocols:

We will explain the concepts of Outlook Anywhere, POP, and IMAP.
We will look at the implementation of Outlook Anywhere, POP and IMAP.

Outlook Anywhere, POP and IMAP are different from Outlook Web App and ActiveSync. You can get OWA and ActiveSync to work with an Exchange self-signed certificate. Although for a production environment, it’s best to setup your own cert server or purchase a certificate from a Third-Party Certificate Authority. But with Outlook Anywhere, POP/IMAP, to go live, you need valid certificates. If you’re tempted to setup a PKI infrastructure, it’s not as easy as you might think. It usually isn’t worth the headache when you can purchase certs from CA’s for a very low cost.

Outlook Anywhere Overview

Outlook Anywhere allows external clients to use Outlook 2003/2007/2010 to connect directly to their corporate network email, without using a VPN connection.
Outlook Anywhere uses a networking feature called RPC over HTTP (in fact, in legacy Exchange versions that was the name of Outlook Anywhere). RPC over HTTP is a component in Windows – where Outlook Anywhere takes client connections using Remote Procedure Calls, boxes it up in HTTP and passes it through the firewall.
All you have to do is enable Outlook Anywhere on a CAS server
*Install a valid SSL certificate – because certs touches on many areas which we will cover in a later post.
*Install the RPC over HTTP component – this component is probably installed already during an initial installation. If we still need to install, you go to Server Manager -> Features -> Add Feature
*Enable Outlook Anywhere.
You can enable Outlook Anywhere from EMC or EMS
*”Enable-OutlookAnywhere” cmdlet.
To test Outlook Anywhere you can use the following tools:
*Run the Test-OutlookConnectivity cmdlet to ensure your RPC over HTTP connections and TCP/IP settings are right.
*Run the Exchange Remote Connectivity Analyzer (ExRCA) tool.
Testing looks for the following:

Autodiscover connectivity
DNS validation
Certificate Validation
Firewall configuration
Client connectivity

POP and IMAP Overview

Protocols for connecting to Exchange (disabled by default) most organizations would prefer you do not use POP as a security liability.
The old standard: POP was designed for ‘offline mail processing’
* POP removes emails from the server and brings them down to a local client (unless configured otherwise)
* POP doesn’t provide calendaring, contacts, or tasks
The new standard: IMAP
* Provides both online and offline access but still no extra features like calendaring, contacts, or tasks
Note: These are ‘receive protocols’ not ‘send protocols’ so they still rely on SMTP to send email
With both POP and IMAP, the client is responsible for checking in for mail, it isn’t pushed down to the client.
Enabling POP and IMAP is as easy as enabling the services on the system
After the services are running you can enable your users to use POP or IMAP
You can configure various properties for each protocol including:
* Connection Limits
* Security
* Message Retrieval format options

To enable Outlook Anywhere, open the EMC and browse to Server Configuration and then the Client Access Role:

OutlookAnywhereCA — Click Image to Enlarge

In the screenshot above, you can see that Outlook Anywhere is already enabled. However if it was not, and you wanted to enable it, you’d highlight the Client Access server, and then in the Action Pane, click on Enable Outlook Anywhere.

From here you will be directed to a simple Wizard. Here you will enter the External Host Name:

EnableOutlookAnywhere — Click Image to Enlarge

Here we will want to provide an External Host Name that an external client will use to connect to the server, something like site.jasoncoltrin.com or mail.jasoncoltrin.com.

Client Authentication method:

Basic Authentication – A client will need to provide a domain/username/password and will need to be entered every time when connecting to the server. When Basic Authentication is used, the information will be sent in clear-text over the wire.

NTLM Authentication – The user doesn’t have to enter a Username/Password, the windows network authentication is used and is encrypted and a hash is passed through the networks. NTLM Authentication can cause problems when trying to pass the encrypted traffic through firewalls, and some Exchange Admins will want to use Basic authentication if users are not members of the Exchange Server’s domain. Clients that have already logged into a domain, are simply passing cached credentials to Exchange.

Allow Secure Channel (SSL) offloading – This is all about if you have a separate server for SSL encryption/decryption. Some choose to use a SSL accelerator to offload the CPU processing power used for SLL.

First, make sure that under the Server Manager -> Features -> make sure the RPC over HTTP Proxy feature is Installed/Added.

The command for enabling Outlook Anywhere with the Exchange Management Shell will something like the following:

enable-OutlookAnywhere -Server ‘EXCH1’ -ExternalHostname ‘mail.jasoncoltrin.com’ -DefaultAuthenticationMethod ‘Basic’ -SSLOffloading $false

To configure POP3 and IMAP4, we do not enable/configure it through the Exchange Console, we will actually go into the server’s services:

Start -> Administrative Tools -> Services (control panel)

Find the service named Microsoft Exchange POP3 ->Startup = Automatic -> Startuptype: Automatic (then start the service)

Find the service named Microsoft Exchange IMAP4 ->Startup = Automatic -> Startuptype: Automatic (then start the service)

To make changes to the protocols, you can change them in the EMC -> Client Access -> POP3 and IMAP4 tab.

To Configure the Clients i.e., to decide which recipients are allowed access to Outlook Anywhere/POP3/IMAP4, go into EMC ->Recipients ->Right-click on users -Properties ->Mailbox Features Tab -> Enable/disable POP3/IMAP4

Using the Set-CASMailbox cmdlet

In order to control the access to some of our client access server settings, we want to use the Set-CASMailbox cmdlet.

The Set-CASMailbox cmdlet is used to set attributes related to client access for ActiveSync, OWA, Outlook Anywhere, POP and IMAP for specified users.
You can use the command with the -MAPIBlockOutlookRpcHttp parameter to determine if clients can connect to Outlook using Outlook Anywhere. For example, if you want make sure users in a certain location deny them the ability to use Outlook Anywhere.
* Get-Mailbox “UserHere” | Set-Casmailbox -mapiblockoutlookrpchttp:$true
* Get-Mailbox -OrganizationalUnit “OU here” | Set-Casmailbox -mapiblockoutlookrpchttp:$true (anyone who has this applied will not be allowed to use Outlook Anywhere).
Or you can use ISA or some other solution to block entry (or other proxy filtering software)

To verify Outlook Anywhere has been enabled, you can see an event in the Application Log event 3006, “The Outlook Anywhere feature has been enabled.”

In review, we learned the purpose of Outlook Anywhere, POP and IMAP. We reviewed the initial configuration of these different access methods. It’s not all that complicated to setup.

A couple of EMS points to remember:

*Enable-OutlookAnywhere (can enable through shell)

*Test-OutlookConnectivity (ensures connectivity is solid) – an excellent tutorial for using the Test-OutlookConnectivity cmdlet is located here: http://blogs.catapultsystems.com/tharrington/archive/2010/09/17/troubleshooting-the-client-access-server.aspx

*Set-CASMailbox (cmdlet configures users for access to the Client Access Server)

A large majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

The Exchange 2010 CAS Server Role

In this post, we will review the purpose of the Client Access Server (CAS) Role in Exchange 2010.

We will discuss the following CAS Role aspects:

Outlook Web App
Exchange Active Sync
Outlook Anywhere
POP3 and IMAP
The Availability Service
The Autodiscover Service

Take for example the scenario: a Team Meeting to Discuss CAS role

The more mobile your users wish to be, the more the CAS Role comes into focus
You most likely will have mobile users that want to connect to Exchange using their browser, mobile, smart phone or tablet, through Outlook or some POP/IMAP oriented mail application
The role of an administrator is to ensure connectivity from any remote location, and that connectivity is provided without compromising security

The Evolution of CAS

Exchange 2000/2003 didn’t have CAS servers, they had “Front End” servers
– With “Front End” servers, internal clients connected with Outlook using MAPI. MAPI is “Messaging Application Program Interface” – it allows you to send email with Outlook. MAPI is the protocol Outlook uses to connect with Exchange. Internal Outlook clients connected directly to Mailbox servers using MAPI over RPC.
– External clients used the “Front End” as more of a proxy that could handle RPC over HTTP (for Outlook Anywhere), HTTPS (for Outlook Web Access, or OWA), and POP/IMAP. Clients connect in, provide credentials, and the Front End server would decide which mailbox to connect.
Exchange 2007 introduces the CAS role which is more than a proxy server but offloads a significant amount of the load that the mailbox servers typically handled
– Internal MAPI clients still connect directly to the MB role. In 2007, The Client Access Role started to handle middle tier of a three tier application (the logic tier).
Exchange 2010 introduces a new service (MSExchangeRPC) so that the CAS Role is “true” middle tier. It now takes on the brunt of the work that the MailBox Role had to do in the past.

The Exchange 2010 CAS Role is Middle Tier

In Exchange 2010, the CAS Role handles both external and internal connections to the Mailbox role; with the exception of Public Folder connections. So whether they’re coming from OWA or Outlook inside the LAN, they will both go through the CAS Role.
MAPI and directory connections are handled by thte CAS server now, relieving a ton of load off the Mailbox server role, and ultimately increasing the number of concurrent connections to a Mailbox server (in Exchange 2007, we had 64K and now we have 250K).
By offloading the CAS features, now we have a lot more responsibility with CAS, so we need to ensure load balancing and CAS Array concerns as well as security concerns are met.

CAS Role Aspects

Outlook Web App: Allows you to access email through a web browser (including IE, Firefox, Safari and Chrome). This used to be called “Outlook Web Access”. The biggest change that users appreciate is that it works in different browsers on the same level. It is handled by the CAS Role and IIS
Exchange ActiveSync: Allows you to synch your data between your mobile device or smart phone and Exchange – There are varying levels of ActiveSync support in devices and one key security element is remote wipe, which is not available for all devices.
Outlook Anywhere: Allows you to connect to your Exchange Mailbox externally using Outlook (RPC over HTTP) without going through a VPN connection. Its great for Outlook at home with the “In-house” experience.
POP/IMAP support – Mail clients other than Outlook (e.g. Mozilla Thunderbird/Live Mail) that connect with POP or IMAP are supported through the CAS role.
Availability Service: Shows free/busy data to Outlook 2007/2010 users.
Autodiscover Service: Helps Outlook clients and some mobile phones to automatically receive profile settings and locate Exchange services.

Looking at the Exchange Management Console:

Under Organization Configuration, you can make changes to the Client Access Role:

ClientAccessRole

At this point you have two options, modify the default policy of Outlook Web App Policies or the Exchange ActiveSync Mailbox Policies.

As an administrator you can control functionality of the user experience and even the devices connecting to the CAS.

Is modifying the following options a good or bad April Fools joke to play on your User’s smart phones?

ActiveSynchOptions1 — Click Image to Enlarge

ActiveSynchOptions2 — Click Image to Enlarge

Maybe not such a good idea to mess with these…

Client Access under the Server Configuration Node in the EMC, provides us with much more configuration options.

Some of the different tabs located here are:

Outlook Web App – Config changes to owa Default Web Site
Exchange Control Panel – connected with IIS ecp default web site
Exchange ActiveSync – Configure IIS/ActiveSync default website
POP3/IMAP4 – configure these mail protocols
Offline Address Book Distribution – If you recall we talked about the OAB now being distributed through web services
Outlook Anywhere – in a future post we will hit the “Enable Outlook Anywhere…” feature and go through it’s configuration.

So in review we’ve explained the purpose of the Client Access Server roles, discussed the different CAS features, and toured the EMC locations for working with the Client Access Service.

A good majority of the content provided in my Blog’s Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series, as well as my own Exchange 2010 lab. Trainsignal.com is an invaluable source for accurate, easy to understand, IT information and training. http://www.trainsignal.com

Tag: CAS