Configuring Airlock Gateway for Outlook Anywhere

Microsoft introduced Outlook Anywhere with Exchange 2003 (formerly known as RPC over HTTP). It enables Outlook clients to access their Exchange mailbox without the need for a VPN connection. This is achieved by encapsulating the RPC request in HTTP requests.

The following sections show the steps required to configure Outlook Anywhere behind Airlock Gateway.

  • Included steps:
  • Preparing Outlook Anywhere for the Airlock Gateway integration.
  • Creating an Airlock Gateway virtual host for Outlook Anywhere.
  • Creating an Airlock Gateway back-end group for Outlook Anywhere.
  • Creating multiple Airlock Gateway mappings for Outlook Anywhere.
  • Configuring TCP connection termination with TCP-RST packets.
  • Disabling the Airlock Gateway HardChild timeout.
  • Verifying the availability of sufficient Security Gate processes.
  • Activating your configuration.

Chapter-related warnings

With Exchange 2013 SP1, Microsoft created a successor called MAPI over HTTP, which comes with improved Outlook connectivity and responsiveness.

Chapter-related prerequisites

  • Airlock Gateway for Outlook Web Access / Outlook on the Web must have been configured and authentication enforcement must be enabled.
  • You must be logged in as admin in the Airlock Gateway Configuration Center.

Preparing Outlook Anywhere for the Airlock Gateway integration

  • Two steps are required to prepare Outlook Anywhere for integration behind the Airlock Gateway:
  • Installing the RPC-over-HTTP-proxy feature on the Windows server. This step is only required for RPC over HTTP setups. Skip it, when MAPI over HTTP is used.
  • Configuring the external FQDN for Outlook Anywhere.

This section explains how to proceed.

  • Procedure-related prerequisites:
  • This configuration takes place in Outlook Anywhere.
  • You need to run all commands with administrative permissions.
  1. Installing the RPC-over-HTTP proxy feature on the Windows Server:
  2. Open the Windows PowerShell via Run as administrator.
  3. Run the following command: Install-WindowsFeature RPC-over-HTTP-proxy, Web-Basic-Auth
  1. Configuring the external FQDN for Outlook Anywhere:
  2. Open the Exchange Management Shell via Run as administrator.
  3. Run the following commands. Be sure to enter the fully qualified domain name (FQDN) for the external host in the argument ExternalHostname.
copy
# List all Outlook Anywhere virtual directories. 
Get-OutlookAnywhere

# Enable Basic Authentication and SSL
Set-OutlookAnywhere `
  -Identity "Rpc (Default Web Site)" `
  -ExternalHostname "exchange.ext.virtinc.com" `
  -InternalClientsRequireSsl $True `
  -ExternalClientsRequireSsl $True `
  -SSLOffloading $True `
  -InternalClientAuthenticationMethod Basic `
  -ExternalClientAuthenticationMethod Basic `
  -IISAuthenticationMethods Basic

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce

Creating an Airlock Gateway virtual host for Outlook Anywhere

Next, create an Airlock Gateway virtual host for Outlook Anywhere.

  • Procedure-related prerequisites:
  • This configuration and the following ones are performed in the Airlock Gateway Configuration Center.
  • You must be logged in as admin.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy and click at the top of the Virtual Host column on the + sign.
  3. Enter the virtual host's FQDN and IP address:
    • Host name (FQDN): exchange.ext.virtinc.com
  4. Select a network interface.
  5. Enable the checkbox HTTP listener.
  6. Enable the checkbox HTTPS listener.
  7. Enable the checkbox Redirect to HTTPS.
  8. Change to the SSL tab.
  9. Select the Server certificate according to the FQDN of the virtual host.
  10. A virtual host has been pre-configured.

Creating an Airlock Gateway back-end group for Outlook Anywhere

To create an Airlock Gateway back-end group for Outlook Anywhere, proceed as follows:

  1. Go to: Application Firewall >> Reverse Proxy and click at the top of the Back-end Group column on the + sign.
  2. Enter a self-documenting name for Back-end Group Name.
  3. Set the following values:
    • Protocol: http
    • Back-end Host: exchange.int.virtinc.com
    • Port: 80
  4. A back-end group has been pre-configured.

Creating multiple Airlock Gateway mappings for Outlook Anywhere

The next step consists of connecting the previously created virtual host and back-end group with multiple Outlook Anywhere mappings.

  • Procedure-related prerequisites:
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy and click at the top of the Mapping column on the + sign.
  3. Choose New from template >> Outlook Anywhere. Choose a template version that matches your Outlook Anywhere version.
  4. The following mappings, based upon the template, have been created:
    • -Exchange Autodiscover
    • -Exchange EWS
    • -Exchange MAPI
    • -Exchange OAB
    • -Exchange Outlook Anywhere
  5. Go to: Application Firewall >> Reverse Proxy
  6. Connect the new Outlook Anywhere mappings with the corresponding virtual host, which is exchange.ext.virtinc.com.
  7. Connect the new Outlook Anywhere mappings to the corresponding back-end group.
  8. The mappings have been established.

Configuring TCP connection termination with TCP-RST packets

Outlook clients use TCP-RST packets to terminate TCP connections. To achieve this behavior with Airlock Gateway, configure the expert settings as described below.

Without this configuration, there is no noticeable impact except that the back-end server might log HTTP errors with status code 400.

  • Procedure-related prerequisites:
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy.
  3. Edit the Outlook Anywhere Back-end Group.
  4. Change to the Expert Settings tab.
  5. Select ON to enable the Security Gate expert settings.
  6. Enter the following expert settings:
  7. BackendConnectionCloseByReset "TRUE"

Disabling the Airlock Gateway HardChild timeout

By default, Airlock Gateway terminates requests that last longer than 18 hours. Since requests from Outlook clients could run much longer, we recommend disabling the gateway's HardChild timeout.

  • Procedure-related prerequisites:
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Expert Settings >> Security Gate / Apache.
  3. Select ON to enable the Security Gate expert settings.
  4. Enter the following expert settings:
  5. HardChildTimeout "0"

Verifying the availability of sufficient Security Gate processes

Next, you should verify whether Airlock Gateway has sufficient Security Gate processes available.

  1. Proceed as follows:
  2. Apply the following knowledge base article: KB – Sufficient security processes available
  3. Use the following value for the calculation:
    • Number of proc per user: 4

Activating the Airlock Gateway configuration for Outlook Anywhere

You can now activate your Airlock Gateway configuration for Outlook Anywhere.

  1. Proceed as follows:
  2. Click the Activate button on top of the main menu of the Configuration Center.
  3. The configuration has been updated successfully.