Exchange 2007 & Outlook Anywhere
we have 2 exchange boxes in our environment. one exch 07 production box, the other is a scr replication box running exch 07. i just found out last week that no SP have been applied to these exchange servers yet. YIKES!!!
the previous network admin setup rpc/http on our exch 03 box before we upgraded to exch 07. we had a consultant come in and upgrade our box and transfer all settings including rpc/http which is now outlook anywhere onto the new server. one thing i noticed is that he set up OA with basic authentication method and from what i have read is why when my users are connected to the internal network they keep getting prompted to enter authentication credentials every time they open outlook. now if i switch it to ntlm will that get rid of the prompting from inside my network but still prompt users when outside my network? i have a lot of mobile users and we want to provide them with outlook functionality when away from the office but still be secure?
to change it from basic to NTLM do i just go to EMC>server config>client access>click the server, select properties>click outlook anywhere tab on new window that opened>click radio button next to NTLM. then go to each workstation that uses OA and change from basic to NTLM?
will this change affect any other sort of functionality with exchange and client software/devices (ie: activsync/mobile phones/ blackberry's etc)?
March 30th, 2010 9:41pm
On Tue, 30 Mar 2010 18:41:17 +0000, xchangepatewon wrote: [ snip ]>the previous network admin setup rpc/http on our exch 03 box before we upgraded to exch 07. we had a consultant come in and upgrade our box and transfer all settings including rpc/http which is now outlook anywhere onto the new server. one thing i noticed is that he set up OA with basic authentication method and from what i have read is why when my users are connected to the internal network they keep getting prompted to enter authentication credentials every time they open outlook. now if i switch it to ntlm will that get rid of the prompting from inside my network but still prompt users when outside my network? i have a lot of mobile users and we want to provide them with outlook functionality when away from the office but still be secure? Configure both basic and windowsintegrated authentication methods. >to change it from basic to NTLM do i just go to EMC>server config>client access>click the server, select properties>click outlook anywhere tab on new window that opened>click radio button next to NTLM. then go to each workstation that uses OA and change from basic to NTLM? If you want to configure both authentication mechanisms you'll have touse the Powershell cmdlet set-outlookanywhere with the"-IISAuthenticationMethods basic,ntlm" parameter and values.>will this change affect any other sort of functionality with exchange and client software/devices (ie: activsync/mobile phones/ blackberry's etc)? No.---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2010 6:02am
so if i just do NTLM then are you saying it will not prompt for credentials when outside the office and thats why i need to do both basic and NTLM?
also i have read that depending on the firewall you have it could block/deny ntlm from passing through. we run a watchguard x1250e, do i need to make any changes on that to allow for NTLM to pass through without issue or will that not be an issue since i will have both basic and NTLM confgured?
March 31st, 2010 5:14pm
On Wed, 31 Mar 2010 14:14:18 +0000, xchangepatewon wrote:>so if i just do NTLM then are you saying it will not prompt for credentials when outside the office and thats why i need to do both basic and NTLM? A lot depends on how you connect from the Internet. You probablyaren't using MAPI/RPC directly, although it's possible you are. If youare, I hope you're using an ISA server to publish only the GUIDs youneed! It may also depend on your ISP. Many don't allow port 137, 138,139, and 445 (with good reason), and neither should you.If you're using Outlook and RPC-Over-HTTPS then NTLM is okay. Ifyou're publishing through an ISA server you can't use NTLM andpre-authentication because there's no (easy) way to proxy thecredentials.>also i have read that depending on the firewall you have it could block/deny ntlm from passing through. we run a watchguard x1250e, do i need to make any changes on that to allow for NTLM to pass through without issue or will that not be an issue since i will have both basic and NTLM confgured?If you're using RPC-Over-HTTPS your firewall just sees HTTPS so usingNTLM will work -- provided the client machines are domain-joined.---Rich MatheisenMCSE+I, Exchange MVP---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2010 1:02am