Configuring the Outlook 2003 Email Client

 

The Outlook 2003 clients supports the full range of email protocols that remote users need to access information located on the Exchange Server on the corporate network. You can use Outlook 2003 to gain access to information on the Exchange Server using secure and unsecured forms of the SMTP, POP3, IMAP4, RPC and the all new RPC over HTTP protocols.

 

The following procedures can be performed on the Outlook 2003 client to allow it to use the full range of mail access protocols to connect to the published Exchange Server on the internal network:

 

• Install the Root CA Certificate on the Outlook 2003 Client
• Configure the Outlook 2003 Client for Secure SMTP/POP3 Connections
• Configure the Outlook 2003 Client for Secure SMTP/IMAP4 Connections
• Configure the Outlook 2003 Client for Secure RPC Connections
• Configure the Outlook 2003 Client for Secure RPC over HTTP connections

 

The remainder of this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit discusses the details of these procedures.

 

 

 

Install the Root CA Certificate on the Outlook 2003 Client

 

The root CA certificate must be in the user certificate store on the machine attempting to make a secure connection to the Exchange Server or secure SMTP relay. While it is possible to make a secure connection in some instances when the root CA certificate is not installed on the OE client, the user will be presented with error dialog boxes that may be confusing and generate Help Desk support calls. You can circumvent this problem by installing the root CA certificate on the OE client machine.

 

Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Import the Root CA Certificate into Email Client Certificate Stores for details on how to import the root CA certificate into the OE client’s certificate store.

 

 

Configure the Outlook 2003 Client for Secure SMTP/POP3 Connections

 

The combination of SMTP and POP3 protocols are the most common methods used to send and receive email from an Exchange Server from a remote client. Almost all users are familiar with SMTP/POP3 email and therefore it is often the remote mail access method of choice.

 

Perform the following steps to configure the Outlook 2003 client to use SMTP/POP3 to access mail on the published Exchange Server:

 

1. Right click the Outlook 2003 icon on the desktop and click the Properties command (figure 1).

 

Figure 1

 

2. In the Mail Setup – Outlook dialog box (figure 2), click on the E-mail Account button in the E-mail Accounts frame.

 

Figure 2

 

3. Select the Add a new e-mail account option in the E-mail Accounts page (figure 3).

 

Figure 3

 

4. On the Server Type page (figure 4), select the POP3 option.

 

Figure 4

 

5. Fill in the text boxes on the Internet E-mail Settings (POP3) page (figure 5). Enter either a FQDN or IP address in the Incoming mail server (POP3) and Outgoing mail server (SMTP) text boxes. If you use an IP address, make sure the IP address is the same IP address you used in the POP3 and SMTP Server Publishing Rules on the ISA Server firewall. If you use a FQDN, then make sure that FQDN resolves to the address on the external interface of the ISA Server firewall that you used in the SMTP and POP3 Server Publishing Rule.

 

Note that if you wish to use secure SMTP and secure SMTP connections, you must use FQDNs. The FQDN you use in the Incoming mail server (POP3) and Outgoing mail server (SMTP) text boxes must be the same as the common name in the server certificate used by the POP3 or SMTP service you connect to.

 

In this example we have bound a Web server certificate to the POP3 and SMTP services that has the common name mail.internal.net. Therefore, we enter mail.internal.net in the SMTP and POP3 text boxes. If you are not using secure connection, then you can enter an IP address in these text boxes instead of a FQDN.

 

Click the More Settings button (figure 5).

 

Figure 5

 

6. In the Internet E-Mail Settings dialog box (figure 6), click on the Outgoing Server tab. Put a checkmark in the My outgoing server (SMTP requires authentication checkbox if you are publishing your own SMTP server and require authentication.

 

You have two options: Use same settings as my incoming mail server and Log on using. If you are publishing your own SMTP server, there is a good chance that the SMTP server belongs to the same domain, or a trusting domain, as the POP3 server and the user accounts database. In that case, you would use the Use same settings as my incoming mail server option. If the SMTP server uses a user database that is not the same as the POP3 server database, then configure the SMTP server credentials to be different than the POP3 credentials.

 

Figure 6

 

7. Click the Advanced tab (figure 7). Put checkmarks in the This server requires an encrypted connection (SSL) checkboxes. This forces the client to negotiate a secure SSL connection with the POP3 and SMTP servers. You can leave the email on the Exchange Server if you put a checkmark in the Leave a copy of messages on the server checkbox. This is helpful if the user would like to be able to access the messages from the full MAPI connection when the user returns to the office.

 

Click OK.

 

Figure 7

 

8. Click the Test Account Settings button to test if the current settings work correctly (figure 8).

 

Figure 8

 

9. You will see the status of the SMTP and POP3 connections in the Test Account Settings dialog box (figure 9). Click close after all tests complete successfully.

 

Figure 9

 

10. Click Next on the Internet E-mail Settings (POP3) page (figure 10).

 

Figure 10

 

11. Click Finish on the Congratulations page (figure 11).

 

Figure 11

 

12. Click Close on the Mail Setup – Outlook dialog box (figure 12).

 

Figure 12

 

The Outlook 2003 secure authenticating SMTP/POP3 client is now ready to use.

 

 

Configure the Outlook 2003 Client for Secure SMTP/IMAP4 Connections

 

You can use the combination of the SMTP and IMAP4 protocols to allow your users access to the entire folder hierarchy in their Exchange mailbox. The POP3 protocol only has access to the Inbox for the user’s account and the POP3 client, by default, downloads the entire contents of the Inbox. In contrast, the default setting on the IMAP4 client leaves the messages on the Exchange Server and downloads only the header information. The IMAP4 client is able to view information in all folders in the user’s mailbox.

 

Perform the following steps to configure the Outlook 2003 client to use SMTP/IMAP4 to connect to the Exchange Server:

 

1.       Right click the Outlook 2003 icon on the desktop and click the Properties command (figure 13).

 

Figure 13

 

2.       In the Mail Setup – Outlook dialog box (figure 14), click on the Ed-mail Account button in the E-mail Accounts frame.

 

Figure 14

 

3.       Select the Add a new e-mail account option in the E-mail Accounts page (figure 15).

 

Figure 15

 

4.       On the Server Type page (figure 16), select the IMAP option.

 

Figure 16

 

5.       Fill in the text boxes on the Internet E-mail Settings (IMAP) page (figure 17). Enter either a FQDN or IP address in the Incoming mail server (IMAP) and Outgoing mail server (SMTP) text boxes. If you use an IP address, make sure the IP address is the same IP address you use in the IMAP and SMTP Server Publishing Rules. If you use a FQDN, then make sure that FQDN resolves to the address on the external interface of the ISA Server firewall that you used in the SMTP and IMAP Server Publishing Rule.

 

Note that if you wish to use secure SMTP and secure SMTP connections, you must use FQDNs. The FQDN you use in the Incoming mail server (IMAP) and Outgoing mail server (SMTP) text boxes must be the same as the common name in the server certificate used by the POP3 or SMTP service you connect to.

 

In this example we have bound a Web server certificate to the IMAP and SMTP services that have the common name mail.internal.net. Therefore, we enter mail.internal.net in the SMTP and IMAP text boxes. If you are not using secure connection, then you can enter an IP address in these text boxes instead of a FQDN.

 

Click the More Settings button (figure 17).

 

Figure 17

 

6.       In the Internet E-Mail Settings dialog box (figure 18), click on the Outgoing Server tab. Put a checkmark in the My outgoing server (SMTP) requires authentication checkbox if you are publishing your own SMTP server and require authentication.

 

You have two options: Use same settings as my incoming mail server and Log on using. If you are publishing your own SMTP server, there is a good chance that the SMTP server belongs to the same domain, or a trusting domain, as the IMAP server and the user accounts database. In that case, you would use the Use same settings as my incoming mail server option. If the SMTP server uses a user database that is not the same as the IMAP server database, then configure the SMTP server credentials to be different than the IMAP credentials.

 

Figure 18

 

7.       Click the Advanced tab (figure 19). Put checkmarks in the This server requires an encrypted connection (SSL) checkboxes. This forces the client to negotiate a secure SSL connection with the IMAP and SMTP servers. You can leave the email on the Exchange Server if you put a checkmark in the Leave a copy of messages on the server checkbox. This is helpful if the user would like to be able to access the messages from the full MAPI connection when the user returns to the office.

 

Click OK.

 

Figure 19

 

8.       Click Next on the Internet E-mail Settings (IMAP) page (figure 20).

 

Figure 20

 

9.       Click Finish on the Congratulation page (Figure 21).

 

Figure 21

 

10.   Click Apply and click OK in the Mail dialog box (figure 22).

 

Figure 22

 

11.   Open Outlook 2003. Right click on the IMAP account in the left pane of the application and click on the IMAP Folders command (figure 23).

 

Figure 23

 

12.   In the IMAP Folders dialog box (figure 24), select a folder whose headers you would like to automatically download from the list on the All tab. Click the Subscribe button.

 

Figure 24

 

13.   Click on the Subscribed tab (figure 25). This shows you a list of the folders you’re subscribed to. Click Apply and then click OK.

 

Figure 25

 

14.   Click on the Inbox node in the left pane of the application. Notice that you can flag entries with different color coded flags (figure 26).

 

Figure 26

 

15.   Notice in the Inbox pane that you can put a checkmark next to a message indicating that you have followed up on the task associated with that message (figure 27).

 

Figure 27

 

 

Configure the Outlook 2003 Client for Secure RPC Connections

 

Outlook can access the Exchange Server from a remote location using the Exchange RPC protocol. This mail access protocol provides the highest level of functionality to the Outlook 2003 client. The Outlook 2003 client has full access to the entire array of Exchange services when connecting via secure Exchange RPC.

 

Perform the following steps to configure the Outlook 2003 client to use secure Exchange RPC:

 

 

1.       Right click on the Outlook 2003 icon on the desktop and click Properties (figure 28).

 

Figure 28

 

2.       Click on the E-mail Account button in the E-mail Accounts frame (figure 2).

 

Figure 29

 

3.       In the E-mail Accounts page, select the Add a new e-mail account option (figure 30) and click Next.

 

Figure 30

 

4.       On the Server Type page (figure 31), select the Microsoft Exchange Server option and click Next.

 

Figure 31

 

5.       On the Exchange Server Settings page, type in the FQDN of the Exchange Server. The FQDN is the name that resolves to the IP address on the external interface of the ISA Server firewall that you used in the secure RPC Server Publishing Rule. Put a checkmark in the Use Cached Exchange Mode checkbox to conserve bandwidth and allow you to access your mail when not connected to the Exchange Server.

 

In the User Name text box, type the name of the user account and click the Check Now button (figure 32).

 

Figure 32

 

6.       The name of the Exchange Server appears in the Microsoft Exchange Server text box and replaces the name you initially entered. The name of the server is underlined and the user name also is underlined after the connection to the Exchange Server is successful. Click the More Settings button (figure 33). (From this point onwards, the Outlook 2003 client must be able to correctly resolve the name you see in the Microsoft Exchange Server text box.)

 

Figure 33

 

7.       In the Microsoft Exchange Server dialog box (figure 34), click on the Advanced tab. Put checkmarks in the Use Cached Exchange Mode and Download Public Folder Favorites checkboxes to save bandwidth and to make the users information available when not connected to the Exchange Server.

 

Figure 34

 

8.       Click on the Security tab (figure 35). Put a checkmark in the Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server checkbox. Put a checkmark in the Always prompt for user name and password checkbox. Use the default Log on network security setting Kerberos/NTLM Password Authentication.

 

Click Apply and then click OK.

 

Figure 35

 

9.       Click Next in the Exchange Server Settings page (figure 36).

 

Figure 36

 

10.   A Microsoft Office Outlook – Enter Password dialog box appears (figure 37). Enter your User Name, Password, and Domain Name and click OK.

 

Figure 37

 

11.   Click Yes in the dialog box that asks if you want your mail delivered to your local personal folder. Note that this does not mean that the mail is removed from the server; the mail is stored both on the local machine and at the Exchange Server. If this is what you want, then click Yes.

 

Figure 38

 

 

12.   Click Finish on the Congratulations page (figure 39).

 

figure 39

 

13.   Click Close on the Mail Setup dialog box (figure 40).

 

Figure 40

 

 

 

Configure the Outlook 2003 Client for Secure RPC over HTTP Connections

 

You must use Outlook 2003 running on Windows XP Service Pack 1 to connect using the RPC over HTTP connection method. In addition, you must install the hotfix mentioned in Microsoft KB article Outlook 11 Performs Slowly or Stops Responding When Connected to Exchange Server 2003 Through HTTP. Download and install the hotfix before configuring a profile that allows the user to connect to the Exchange Server.

 

It is important to note that you must create the profile while the Outlook 2003 computer is on the internal network, or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135) via a secure Exchange RPC Server Publishing Rule. You will not be able to create a new profile or change an existing profile to use RPC over HTTP if the machine does not have access to the Exchange Server via RPC (TCP 135).

 

This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal network and can access the Exchange Server using RPC via TCP 135, or access the Exchange Server via a secure Exchange RPC Server Publishing Rule. In addition, a user with an existing profile will not be able to alter the existing profile so that he can use RPC over HTTP if that client is not to access the Exchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine is connected to the internal network and can access the Exchange Server via TCP port 135, or via a secure Exchange RPC Server Publishing Rule.

 

Perform the following steps to create the Outlook 2003 profile:

 

1.       Click Start and then right click on the Outlook 2003 icon in the menu. Click on the Properties command (figure 41).

 

Figure 41

 

2.       Click the Add button in the Mail dialog box (figure 42).

 

Figure 42

 

3.       Type in a name for the profile in the Profile Name text box (figure 43). Click OK.

 

Figure 43

 

4.       Select the Add a new e-mail account option in the This wizard will allowyou to change the e-mail accounts the direction that Outlook uses page (figure 44). Click Next.

 

Figure 44

 

5.       On the Server Type page (figure 45), select the Microsoft Exchange Server option and click Next.

 

Figure 45

 

6.       On the Exchange Server Settings page (figure 46), type in the FQDN of the front-end Exchange Server. This must be the same name used on the Web site certificate you have assigned to the front-end Exchange Server’s Web site.

 

For example, we obtained a Web site certificate for the front-end Exchange Server’s Web site. The Common Name (CN) on the Web site certificate is owa.internal.net. Therefore we enter owa.internal.net in the Microsoft Exchange Server text box.

 

Type a user account name in the User Name text box. Click the Check Name button to confirm that the Outlook 2003 client machine can communicate with the front-end Exchange Server.

 

Put a checkmark in the Use local copy of Mailbox checkbox.

 

Click the More Settings button.

 

Figure 46

 

7.       You can change how Outlook detects the connection state on the General tab of the Microsoft Exchange Server dialog box (figure 47). Do not make any changes here unless you have an explicit reason to do so. The default settings works fine in almost all circumstances.

 

Figure 47

 

8.       Click on the Advanced tab (figure 48). Confirm that there is a checkmark in the Use local copy of Mailbox checkbox. The default selection is Download headers followed by full item.

 

Figure 48

 

9.       Click on the Security tab (figure 49). Put a checkmark in the Encrypt information checkbox. I’m not sure this does anything when you use RPC over HTTP, but encryption is a good thing, so we’ll enable this checkbox anyhow. If the Outlook 2003 client users the same encryptions mechanism used for other RPC connections, the data inside the HTTP tunnel is encrypted with 56-bit MD5 encryption.

 

Figure 49

 

10.   Click on the Connection tab (figure 50). Select the Connect using my Local Area Network (LAN) option. Put a checkmark in the Connect to my Exchange mailbox using HTTP, then click the Exchange Proxy Settings button.

 

Figure 50

 

11.   You configure the specifics of the RPC over HTTP session in the Exchange Proxy Settings dialog box (figure 131). Type in the FQDN to your front-end Exchange Server in the Use this URL to connect to my proxy server for Exchange text box. This is same name listed as the Common Name on the Web site certificate.

 

Put a checkmark in the Mutually authenticate the session when connecting with SSL checkbox. Put in the FQDN of the front-end Exchange Server (the same name listed on the Web site certificate) in the Principal name for proxy server text box. Use the format:

 

msstd:FQDN

 

For example, we use msstd:owa.internal.net for our published front-end Exchange Server because the Common Name on the certificate is owa.internal.net. This is the common name on the certificate used by the Incoming Web Requests listener to impersonate the front-end Exchange Server.

 

Put a checkmark in the Connect using HTTP first, then connect using my Local Area Network (LAN). This is an interesting setting, as it’s unclear what a “LAN” protocol is in contrast to an “HTTP” protocol. I assume it means to use unencapsulated RPC messages, but I can’t say that for sure.

 

In the Use this authentication when connecting to my proxy server for Exchange drop down box, select the Basic Authentication option. This forces you to use SSL, which is OK, because we are using SSL for our links.

 

Click OK on the Exchange Proxy Settings dialog box (figure 51).

 

Figure 51

 

12.   Click Apply and OK on the Microsoft Exchange Server dialog box (figure 52).

 

Figure 52

 

13.   Click Next on the Exchange Server Settings page (figure 53).

 

Figure 53

 

14.   Click Finish on the Congratulations! Page (figure 54).

 

Figure 54

 

15.   Click OK on the Mail dialog box (figure 55).

 

Figure 55

 

16.   Open Outlook 2003. You will be able to use HTTPS for the connection, as confirm in the Exchange Server Connection Status window (figure 56). You can access the connection status window by right clicking on the Outlook 2003 icon in the system tray and selecting the connection status command right after you start up Outlook 2003.

 

Figure 56

 

 

 

DNS Notes for Remote Outlook 2002 MAPI Client Access

 

There are special DNS considerations for the Outlook 2002 client. Please refer to the section DNS Notes for Remote Outlook 2000 MAPI Client Access at the end of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Configuring the Outlook 2000 Email Client for important details on DNS support for the Outlook MAPI client. I also recommend that you review ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Configuring DNS to Support Exchange Server Publishing.