Exchange 2010 – Outlook Anywhere – Outlook is unable to connect to the proxy server. (Error Code 10)

I noticed the error message below:

OutlookProxyCert1

---------------------------
Microsoft Outlook
---------------------------
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site.

Outlook is unable to connect to the proxy server. (Error Code 10)
---------------------------
OK 
---------------------------

Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).

EAC

EAC_OutlookAnywhereEMS

Set-OutlookAnywhere

  • ExternalHostname
  • InternalHostname
  • ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)
  • SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.

Testing

Outlook Anywhere can be tested via Test-OutlookConnectivity or Remote Connectivity Analyzer

Solution

In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.

[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.testexch.local -In
ternalClientsRequireSsl $true
[PS] C:\>Get-OutlookAnywhere | fl server,name,*hostname,ssl*,*auth*

Server : s03
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch.com
InternalHostname : mail.testexch.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Server : s04
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch2013.com
InternalHostname : mail1.testexch2013.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

EAC_OutlookAnywhere2Notes