Enabling OutlookAnywhere in ClientAccess role causes inaccessible RemoteDesktop Gateway Server

Not open for further replies.


I did setup a very common and simple W2K8 R2 + Exchange2010 test environment consisting of 1 DC and one WIN7 client.
The inital installation sequence of the roles: AD DS + AD CS, DNS, DHCP. Then installing all Exchange2010 roles without Unified Messaging.
I am using a UCC certificate. Tests done by www.testexchangeconnectivity.com all positive.

As a last step I installed the RemoteGateway Server on top of all. I don't want to use TS App, just RD (MSTSC) to get access to all domain computer via internet.

The problem: Continous " Logon Attempt Failed" if I try to connect the DC via internet.

Any changes within the configuration of RDG or IIS didn't help at all.

I did start with a new strategy for trouble shooting.
Now I started again with a new installation, installing the RDG role very early, directly after AD DS, DHCP and DNS.
The UCC/SAN certificate (mail.domain.tld) I did import during installation of RDG role. This time no AD CS role installed.
So I could test the RDG server functionality in a very early state AND IT DID WORK. I got access to the DC via internet connection of MSTSC.
Next installation steps did follow with installing the CAS component of Exchange2010.
After CAS was installed, RDG server still works and I can access to the DC via Internet (MSTSC).

Now the surprise ....
In Exchange2010 Management Console , Server Configuration, ClientAccess you can enable/disable in the right pane the feature: OutlookAnywhere
I need this feature, so I did enable OutlookAnywhere. From this time on there is no access anymore possible to the RDG server.
I always get the " Logon Attempt Failed" again.

Once OutlookAnywhere has been enabled, it impacts RDG server forever.
Disabling the OutlookAnywhere doesn't bring the RDG server back to be accessible.

What I am doing here can be considered as a very common and basic setup of W2K8R2 + Exchange2010.
This problem should meet everybody who need to have in addition RD access through internet.
Is there any workaround ?

!! This RDG feature is running on my SBS2008 server without any problems !!
I just want to have the same features running on the new W2K8 R2 platform.
There must be a solution :)

How can I get my machine running ?
Help appreciated.


First of all - it's not really recommended to run Exchange 2010 on a DC.

Anyway.. Outlook Anywhere and TS Gateway both use the RPC over HTTP Proxy feature.

Looking at this blog post on Exchange-Genie.com shows what might be a workaround, and the one of the comments state it works with Exchange 2010 under Windows 2008 R2.

Hope this helps,


Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
Re: Enabling OutlookAnywhere in ClientAccess role causes inaccessible RD Gatew

I have a similar setup and am hitting the same problem.

We had installed Remote Desktop Gateway to allow our users to RDP (using mstsc.exe) into our network to their workstations so they can work from home.

We then implemented VPN (sstp) through Remote Access. Both of these were working fine! They both used the same SSL certificate which simply pointed to our ssl.domain.com. Port 443 was openned through our firewall to this machine.

Next we installed the Client Access Server role (CAS) on this RDG/VPN box. This spectacularly broke everything, as it placed the new UCC/SAN certificate in IIS 7 and bound it to all incoming traffic for port 443.

We went into RDP and VPN and set them to also use the same certificate. So now VPN works, but RDP is still broken and I get a "failed to login".

I found the solution just now after reading your small thread, and then finding a similar one at http://serverfault.com/questions/8597/ts-rd-gateway-authentication-problem-the-logon-attempt-failed

The solution for us was to go into IIS --> sites --> Rpc --> Authentication .. and enable "Windows Authentication".

It looks like CAS overwrote the IIS settings, disabling all the authentication types and only enabling "Basic Authentication" which is not enough for RDP. So we now have both "Basic" and "Windows Authentication" enabled, and our VPN (sstp), RDG, Outlook Web Access are all working using our UCC certificate from Godaddy, using port 443

(http over RPC). The next step for us now is to validate our exchange setup and away we go.

Somewhere along the way someone suggested to us we need to get multiple IPs in order to handle Exchange, RDG and VPN. We're still not finished installing Exchange so who knows, we may have to, but for the time being we have CAS, RDG and VPN behaving well with a single IP over port 443 with UCC certificate.

Hope this proves helpfull if the problem was not solved for you.
Not open for further replies.