Enable Outlook Anywhere

Exchange 2010

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

Use the Enable Outlook Anywhere wizard on the Exchange Server 2010 Client Access server to allow users to connect to their Exchange mailbox from the Internet. Outlook Anywhere eliminates the need for users in remote offices or mobile users to use a virtual private network (VPN) to connect to their Exchange servers.

Outlook Anywhere will be enabled on your Client Access server after a configuration period of approximately 15 minutes. To verify that Outlook Anywhere has been enabled, check the application event log on the Client Access server.


  • Install a valid Secure Sockets Layer (SSL) certificate from a certification authority (CA) that the client trusts.
  • Install the Microsoft Windows RPC over HTTP Proxy component if it wasn’t already installed by default in Windows Server 2008. For detailed steps, see Install the Windows RPC Over HTTP Proxy Component.
  • Enable Outlook Anywhere on the Client Access server.

When you install Exchange 2010, you can install a default SSL certificate that’s created by Exchange Setup. However, this certificate isn’t a valid SSL certificate that’s trusted by the client. To use Outlook Anywhere, you must install an SSL certificate that’s trusted by the client.


Use the EMC to enable Outlook Anywhere

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Outlook Anywhere configuration settings” entry in the Client Access Permissions topic.

  1.  In the console tree, navigate to Server Configuration > Client Access.
  2. In the action pane, click Enable Outlook Anywhere.
  3. In the Enable Outlook Anywhere wizard, type the external host name or URL for your organization in the box under External host name.
    This is the URL, for example site.contoso.com, that users will use to connect to the Exchange server by using Outlook Anywhere.
  4. Select an available external authentication method. You can select Basic authentication or NTLM authentication.
    Basic authentication sends the user name and password in clear text. It also requires that users enter domain, user name, and password every time that they connect to the Exchange server. When you use NTLM authentication, the user’s credentials are never sent over the network. Instead, the client computer and the server exchange hashed values of the user’s credentials. NTLM can also use the current Windows operating system logon information.
    Even though it’s more secure, NTLM may not work with firewalls that examine and modify traffic. You can use an advanced firewall server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 together with NTLM authentication for Outlook Anywhere.

    Negotiate Ex authentication is an authentication type that’s reserved for future Microsoft use and should not be used. Use of this setting will cause authentication to fail.
  5. If you’re using an SSL accelerator and you want to use SSL offloading, select the check box next to Allow secure channel (SSL) offloading.
    Select this check box if you’ll be using a separate server to handle Secure Sockets Layer (SSL) encryption and decryption. When you use SSL offloading, the firewall in front of the Client Access server ends the SSL session and then establishes a new non-SSL session to the Exchange server.

    Don’t use this option unless you’re sure that you have an SSL accelerator that can handle SSL offloading. If you don’t have an SSL accelerator that can handle SSL offloading, and you select this option, Outlook Anywhere won’t function correctly.
  6. Click Enable to apply these settings and enable Outlook Anywhere.
  7.  Click Finish to close the Enable Outlook Anywhere wizard.


Use the Shell to enable Outlook Anywhere

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Outlook Anywhere configuration settings” entry in the Client Access Permissions topic.

In this example, the Client Access server named Exch1 is enabled for Outlook Anywhere with its external host name as site.contoso.org, the default authentication set to Basic, and SSL offloading not selected.

Enable-OutlookAnywhere -Server 'Exch1' -ExternalHostname 'site.contoso.org' -DefaultAuthenticationMethod 'Basic' -SSLOffloading $false

This example enables the server named Server01 for Outlook Anywhere. The external host name is set to mail.contoso.com, both Basic and NTLM authentication are used, and SSL offloading is set to $true. The ClientAuthenticationMethod parameter specifies the authentication method that the Autodiscover service provides to the Outlook Anywhere clients to authenticate to the Client Access server. The authentication method can be set to Basic or NTLM.

Enable-OutlookAnywhere -Server:Server01 -ExternalHostname:mail.contoso.com -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true

For more information about syntax and parameters, see Enable-OutlookAnywhere.

Other Tasks

After you enable Outlook Anywhere, you may want to Configure Client Access Server Properties.

Published by Wouter Makkinje

I am a 30 Year old IT Consultant from Kalmar Sweden.