kantver - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How do I configure Outlook Anywhere for specific external use?

How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013?

Outlook Anywhere -- also referred to as RPC over HTTP -- is the default way all Outlook clients connect to their...

mailboxes on Exchange Server 2013.

Exchange Server 2013 does not provide a way to selectively disable external access to Outlook Anywhere and still allow it internally. However, it is not an unreasonable request to want all your users to leverage Outlook Anywhere internally while preventing some users from connecting to it from outside the corporate network.

If you only need to prevent some users from using Outlook Anywhere, then you could simply configure Outlook Anywhere as disabled for those users. The following command would disable Outlook Anywhere for all the users' mailboxes in a specific organizational unit in Active Directory:

Get-Mailbox –OrganizationalUnit "OrganizationUnitName" | Set-CASMailbox " -MAPIBlockOutlookRPCHttp $True

This is only a partial resolution -- it would block Outlook Anywhere internally and externally for those restricted users.

Another partial answer, if you use a reverse proxy, is to block the path to the RPC directory for external users. This is a bit more complex; it may require you to configure a namespace for Outlook Anywhere separate from the other published services. Then, use reverse proxy settings to block or deny Outlook Anywhere connection attempts.

To view the current Outlook Anywhere internal and external hostnames, run the following command in the Exchange Management Shell:

Get-OutlookAnywhere | Format-List server, *hostname

This workaround allows all clients to use Outlook Anywhere internally, but also falls short because it blocks all users externally.

Some other options to investigate include using a pre-authentication tool like Unified Access Gateway or Web Application Proxy, or implementing a certificate authentication tool where specific groups of users are not allowed external access.

If none of the aforementioned options are appealing, there is still hope. The great news is that in Exchange Server 2016, the Set-CASMailbox cmdlet has a new parameter designed for this scenario:

Set-CASMailbox –Identity MailboxIdParameter –MAPIBlockOutlookExternalConnectivity $True

For more information on publishing Exchange 2013 with IIS ARR or WAP see:

Configuring Web Application Proxy with AD to future-proof Exchange

Reverse Proxy for Exchange Server 2013 using IIS ARR

When this is enabled, external Outlook clients cannot use Outlook Anywhere or MAPI over HTTP. This option is fully supported and easier to configure than the workarounds. Perhaps this will be a key driver for you to upgrade to Exchange Server 2016.

In the meantime, understand the risk of using the workarounds in your Exchange Server 2013 organization. They could have less than desired or even unpredictable results on other aspects of client connectivity and functionality. If you plan to configure Outlook Anywhere for external use, be cautious and test any changes in a nonproduction environment before making any changes in production.

Next Steps

What happens when Outlook Anywhere won't connect?

How to identify problems with Outlook Anywhere

How Outlook Autodiscover runs in hybrid scenarios

Dig Deeper on Exchange Server setup and troubleshooting