Outlook defaulting to Exchange Proxy?
Is there a place in exchange 2007 to set client defaults? Every client that I setup defaults to exchange proxy from within the organization... And they're desktops that are never taken out of the firm. The problem is it is defaulting to
the webmail server thats in a DMZ and the clients are constantly have weird issues with authenticating. When I uncheck the Proxy settings everything works fine.
Is there a reason for this? I can't figure out if it is something exchange does by default for some reason or if one of the other guys before me set this up... We have exchange 2007 and clients are on Outlook 2007.
Thanks!
Tony
April 7th, 2011 12:17pm
Possibly the setting is being pushed via GPO, check article below for the settings. However just because Outlook Anywhere is set and configured, internal clients shouldn't be connecting over RPC\HTTP. However if it's detecting a slow connection, and Outlook
Anywhere settings has "on slow networks connect using http first" checked than it can flip flop between TCP or HTTP depending on network conditions.
You cannot use Group Policy settings to configure Outlook Anywhere (RPC/HTTP) settings
http://support.microsoft.com/kb/961112James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 12:22pm
Interesting, I installed the ADM and it doesn't show any settings, but every exchange we setup automatically sets the proxy information up...
The problem is that we have a bunch of subnets and all traffic flows through a firewall, so when our 106.0 network communicates with our 105.0 network traffic is restricted. All traders are on the 106 network and DC's and Exchange are on 105. When
exchange proxy is setup, the login screen pops up every time a client opens outlook and the address is listed as the webmail server which is in a DMZ and has even further restrictions. When I disable the proxy settings, the login server address
changes to our internal DC.
April 7th, 2011 1:17pm
I forgot you're running 2007 so the Outlook Anywhere settings are getting populated by autodiscover. I think we need to focus on why its trying to connect over Outlook Anywhere when it's inside. On a problem computer can you re-enable Outlook Anywhere, but
go into the settings and uncheck both
On fast networks, connect using HTTPS first..
On slow networks, connect using HTTS first...
Maybe your firewall is also contributing, I was thinking it's blocking RPC traffic so it's falling back to HTTP, but then it wouldnt explain why it would work once you disable Outlook Anywhere. Try the suggestion above first, and post back.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 1:51pm
THe CAS should not be and is not supported in the DMZ.
April 7th, 2011 2:02pm
Interesting, I installed the ADM and it doesn't show any settings, but every exchange we setup automatically sets the proxy information up...
The problem is that we have a bunch of subnets and all traffic flows through a firewall, so when our 106.0 network communicates with our 105.0 network traffic is restricted. All traders are on the 106 network and DC's and Exchange are on 105. When
exchange proxy is setup, the login screen pops up every time a client opens outlook and the address is listed as the webmail server which is in a DMZ and has even further restrictions. When I disable the proxy settings, the login server address
changes to our internal DC.
Sounds like Outlook is doing exactly what its supposed to do.
You have enabled Outlook Anywhere and it sounds as if the CAS is in the DMZ. Autodiscovery is telling Outlook what URLs to contact to and one of those URLs is apparently in the DMZ that throws up the auth prompt. It doesnt matter that these workstations
are internal or external, you enabled Outlook Anywhere.
If the CAS is in the DMZ ( or any other Exchange Server except the Edge Role), it need to go back on the internal LAN.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 2:28pm
I haven't been able to find a machine that's having the trouble since we fixed all of them in the meantime. But to respond to AndyD, that's the whole point, why is Outlook anywhere turned on by default? We are not turning it on when we setup
these machines, it is getting these settings from autodiscovery... Is there a place where we can change it to either disable it by default, or at least change the server? The Webmail server in the DMZ is not our CAS. Our CAS is internal,
all the webmail server does is host OWA or would that then make it a CAS?
April 7th, 2011 4:06pm
Is it an Exchange Server or reverse proxy in the DMZ?
If you TRULY do not need Outlook ANywhere, you can disable yes. Its not enabled by default.
http://technet.microsoft.com/en-us/library/bb124537.aspx
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 4:25pm
To selectively disable autodiscover from configuring Outlook Anywhere use the instructions below.
Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover
http://ilantz.wordpress.com/2009/06/18/prevent-outlook-anywhere-aka-rpc-over-http-from-being-automaticly-configured-in-exchange-2007-with-autodiscover/
Yes it's still a CAS even if it's only serving as webmail. Also depending on what URLs you specified for all your webservices, your CAS boxes in DMZ may be doing more than just webmail if those URLs are pointing to them. And yes Andy
is right CAS in DMZ is not supported.
Don't put CAS in the Perimeter network!
http://blogs.technet.com/b/exchange/archive/2009/10/21/3408587.aspx
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
April 7th, 2011 4:26pm
I would be very careful selectively messing with autodiscovery , It could break something bad.
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2011 9:22am
Thanks for all the responses. I have come to the conclusion that the exchange infrastructure needs to be changed. I am going to create an Edge Transport in the perimeter and pass traffic back internally to the mail server. I think that they
did in place upgrades from old versions of exchange and landed here.
Thanks!
April 8th, 2011 9:24am
Thanks for all the responses. I have come to the conclusion that the exchange infrastructure needs to be changed. I am going to create an Edge Transport in the perimeter and pass traffic back internally to the mail server. I think that they
did in place upgrades from old versions of exchange and landed here.
Thanks!
So there is a CAS in the DMZ? In that case, yep, time to modify your architecture. Good Luck!
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2011 9:48am