• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to disable/enable Outlook Anywhere/RPC over HTTPS via GPO/reg hack for Outlook 2007?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Mobility >> How to disable/enable Outlook Anywhere/RPC over HTTPS via GPO/reg hack for Outlook 2007? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to disable/enable Outlook Anywhere/RPC over HTTPS v... - 10.Apr.2008 1:10:54 PM   
Adam Hay

 

Posts: 3
Joined: 10.Apr.2008
Status: offline
So we are looking at using Outlook Anywhere for our exec types at our organization so they don't have to deal with connecting to VPN (and loosing our two factor authentication for these users in the process, but oh well...)

They will be connecting from company provided laptops that are joined to our domain.  They will log into their domain user profile using cached credentials when at home/on the road. 

In testing, it looks like autodiscover will allow these users to to be conncted to their mailboxes via Outlook Anywhere relatively painlessly, but will continue to connect using RPC over HTTPS  until the "Connect to Microsoft Exchange using HTTP" check box is unchecked under the Connection tab of their Exchnage account settings in Outlook 2007.  We would really like them to use TCP/IP when they are in the office, and HTTPS when remote, but I'm having problems finding this setting in the outlk12.adm template and/or the registry.  Have been thinking we can force TCP/IP via GPO when in the office and provide a .reg to turn on HTTPS when the user is remote. 

Can anyone point me in the right direction on this?   is there a better way to accomplish this that I'm overlooking?

Thanks,
Adam
Post #: 1
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 10.Apr.2008 3:25:52 PM   
John Weber

 

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline
Uhm...errr.
What is the problem with just leaving them on the rpc/https setup all the time.
I use outlook that way and have ZERO problems.
And then you only have one configuration to sweat out.

FWIW, there are two connection check boxes inside the proxy setup tab screen thingy.   Uncheck the top one.

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to Adam Hay)
Post #: 2
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 10.Apr.2008 3:53:02 PM   
Adam Hay

 

Posts: 3
Joined: 10.Apr.2008
Status: offline
There's a couple of reasons why we want to go this way, both of which may be completely invalid:

1) I was hoping to avoid the additional processing overhead of the SSL on our Client Access server when it wasn't completely necessary.  Not really sure how major of an impact this will have as we add users accessing Exchange vis HTTPS.

2) Testing between the two connection methods, TCP/IP seems to have a good deal better performance on my laptop than HTTPS.  My current hypothesis leads me to believe that this is either due to me traversing the firewall to hit Client Access or an issue with our CheckPoint client (seems to be reeking havoc with Outlook ability to maintain a connection to Exchange in general).

I'm about to remove and clean up the VPN client on my test laptop and see if things improve while connected over HTTPS. 

You think the SSL overhead is nothing to worry about for an anticipate load of <50 users or so?  Am I pulling a Rube Goldberg?

Thanks for your help.


(in reply to John Weber)
Post #: 3
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 10.Apr.2008 5:26:18 PM   
Elan Shudnow

 

Posts: 897
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
For <50 users you have nothing to worry about about SSL CPU Utilization unless you're using a 286 for your CAS.  Outlook has to talk to the CAS anyways, especially if you're using Outlook 2007 and you start using the Autodiscover and web based services.

Outlooks default setup is to only use HTTP on a slow network.  Basically, if you have direct connectivity to Exchange, you'll be on a fast network.  If that fails and you don't have direct connectivity, Outlook will use HTTPS.  This sounds like what you need and is the default setting.  Because of this, do you really need to setup a GPO to "enforce" this setting to prevent users from modifying this setting?

I'm probably preaching to the choir, but keep in mind, the more settings you add to a GPO, or the more you try to enforce, the more difficult an environment is to manage (although GPMC helps with this).  My methodology is to keep things simple, keep things secure, and add to things that only really need to be added to ensure things are secure while keeping the administrative upkeep at a minimum.

_____________________________

Elan Shudnow
Exchange MVP
http://www.shudnow.net

(in reply to Adam Hay)
Post #: 4
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 22.Apr.2008 10:53:39 PM   
charliegadget

 

Posts: 53
Joined: 16.Nov.2007
Status: offline
quote:

ORIGINAL: Elan Shudnow

For <50 users you have nothing to worry about about SSL CPU Utilization unless you're using a 286 for your CAS.  Outlook has to talk to the CAS anyways, especially if you're using Outlook 2007 and you start using the Autodiscover and web based services.

Outlooks default setup is to only use HTTP on a slow network.  Basically, if you have direct connectivity to Exchange, you'll be on a fast network.  If that fails and you don't have direct connectivity, Outlook will use HTTPS.  This sounds like what you need and is the default setting.  Because of this, do you really need to setup a GPO to "enforce" this setting to prevent users from modifying this setting?

I'm probably preaching to the choir, but keep in mind, the more settings you add to a GPO, or the more you try to enforce, the more difficult an environment is to manage (although GPMC helps with this).  My methodology is to keep things simple, keep things secure, and add to things that only really need to be added to ensure things are secure while keeping the administrative upkeep at a minimum.


HERE HERE!!

Yep eric is spot on as usual, when you are "local" / "on network" Outlook 2007 will use TCP/IP / MAPI to connect to your mailbox.

Once you have enabled Outlook Anywhere on your CAS the Auto Discover Service will add the Outlook Anywhere details to your 2007 clients by default (not 2003 it would appear!) so if you dont want anyone by the Exec team to have the feature you will need to put the Exec team in a different OU with a different GPO and deny the settings to all others.

Regards

Charlie

(in reply to Elan Shudnow)
Post #: 5
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 21.Jul.2008 1:29:12 PM   
jasonbowne

 

Posts: 1
Joined: 21.Jul.2008
Status: offline
Outlook Anywhere works very good for this without us having to worry about switching user devices back and forth depending on who and how we want them to connect.  If you are on the internal network - outlook uses TCP/IP connections - if you are outside the network RPC over HTTPS (as long as you have outlook set to do that on fast and slow connections as well and not force outlook to always use HTTPS etc..)

Now one thing that we did in our environment of almost 10,000 laptops worldwide was how do we push the outlook anywhere config to both outlook 2003 and outlook 2007 (running on exhcnage 2003) as seamless as possible.  To accomplish this we created a VBscript that we pushed out through SMS and was completely transparent to the user and did NOT require the end user to restart outlook.  Finding the exact registry keys to change was tricky as you don't want to have anything else going on in your system (from a registry perspective) AND you don't want to use the OK button. 

To capture the registry keys I opened outlook went all the way into the outlook anywhere configuation settings. Used regsnap to capture current state registry > then checked the box to use outlook anywhere > clicked box for exchange settings > then typed in the URL for https for our implementation > then click apply > then take post regsnap (if you click ok you will get extra reg keys that you don't need).

Here are the registry keys - they are in hex, so I changed all my keys for this post to 00 for example (this works for both outlook 2003 and outlook 2007 client):

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a]
"00036623"=hex:00,00,00,00
"00036627"=hex:00,00,00,00
"001f6622"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"001f6625"=hex:00,00


The VBScript that we wrote takes into account the existence of other profiles as our helpdesk will create new profiles to fix issues at times so I could not rely on a static profile name all the time - the script will turn on outlook anywhere with your settings - again I have changed all hex codes to 00 so you can still see the format.  Running this vbscript is silent and does not require a restart of outlook - tested it several times with an apply and remove process to make sure..   Enjoy!

-Jason

Const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\"
strSubKeyPath = "\13dbb0c8aa05101a9bb000aa002fc45a"
iKey1 = "00036623"
iValue1 = Array(&H00,&H00,&H00,&H00)
iKey2 = "00036627"
iValue2 = Array(&H00,&H00,&H00,&H00)
iKey3 = "001f6622"
iValue3 = Array(&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00,&H00)
iKey4 = "001f6625"
iValue4 = Array(&H00,&H00)
objReg.EnumKey HKEY_CURRENT_USER, strKeyPath, arrSubkeys
For Each strSubkey In arrSubkeys
objReg.SetBinaryValue HKEY_CURRENT_USER,strKeyPath & strSubkey & strSubKeyPath,iKey1,iValue1
objReg.SetBinaryValue HKEY_CURRENT_USER,strKeyPath & strSubkey & strSubKeyPath,iKey2,iValue2
objReg.SetBinaryValue HKEY_CURRENT_USER,strKeyPath & strSubkey & strSubKeyPath,iKey3,iValue3
objReg.SetBinaryValue HKEY_CURRENT_USER,strKeyPath & strSubkey & strSubKeyPath,iKey4,iValue4
Next


(in reply to charliegadget)
Post #: 6
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 1.Aug.2008 6:07:20 AM   
davei0594

 

Posts: 1
Joined: 1.Aug.2008
Status: offline
Genius....

(in reply to jasonbowne)
Post #: 7
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 11.Feb.2009 3:34:46 PM   
jbackstr

 

Posts: 1
Joined: 11.Feb.2009
Status: offline
Hello!
I am new to forums so feel free to give advice on my posting style...

Anyhow, I also have been looking into disabling outlook anywhere for my internal clients. why do i need this running on internal clients?

The reason i would like to disable outlook anywhere for internal clients is that when i failover my exchange 2007 mailbox server, clients that have outlook anywhere enabled are prompted for user credentials. This only happens to clients that have outlook anywhere enabled. When i disable outlook anywhere by manually unchecking the option and then do a failover, the failover is transparent for that user. My organization is too large to do this manually.

I can probably find a way to troubleshoot outlook anywhere so that the internal users are not prompted for credentials, perhaps by changing authentication from basic to ntlm, but i will refer to my original question and ask why i should bother troubleshooting this if i dont need it? What benefit does outlook anywhere give me for a client pc in my domain? Users that do not have outlook anywhere enabled appear to have full functionality.

I have a seperate ou for laptops that will need outlook anywhere.

Also, I am wondering how this was enabled on some users but not on others? Will autodiscover just reenale this feature after time if i disable it?

(in reply to Adam Hay)
Post #: 8
RE: How to disable/enable Outlook Anywhere/RPC over HTT... - 29.Mar.2011 7:58:02 PM   
Fullerton800

 

Posts: 1
Joined: 28.Mar.2011
Status: offline
found that KB Article 961112 will shutoff the settings in Outlook 2007, however, it has another side effect that the autodiscover part of Outlook 2007 stops working which means when you add a user to a machine, the profile is still pointing at the first site server in our Exchange deployment (from our 2007 deployment) not our new Exchange 2010 deployment. the workaround we found is to add a DNS CNAME for the old server that points at the CAS pool.

Mike

(in reply to Adam Hay)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Mobility >> How to disable/enable Outlook Anywhere/RPC over HTTPS via GPO/reg hack for Outlook 2007? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter