Friday, 20 September 2024

Entra Private Access and Exchange On-premises

Entra Private Access enables secure access over the Internet to any on-premises application, based on any port or protocol that uses TCP or UDP.

I previously published a blog post on my first look at Entra Private Access. In that post I showed how to configure enterprise applications to allow RDP and filesharing to on-premises resources. In this blog post I want to show how I configured EPA to allow Outlook to connect to Exchange 2019 (on-premises).

It should just work, right? Well, not really. 

When you create an enterprise application EPA you need to know the path and port used for communication. In this case, for Outlook communication, I needed to know about the Exchange Client Access Server. The Client Access server (CAS) role in Exchange is responsible for accepting all forms of client connections, including those from Outlook, Outlook Web App, and ActiveSync. It authenticates and redirects these requests to the appropriate Mailbox server.

Therefore the first thing I needed to know is how Outlook communicates with Exchange. For this we need to see the Outlook connection status on a working device. 


In order to view the Connection Status option, you need to both hold down your CTRL key, and right-click on the Outlook systray icon. Now you should see the Connection Status option. Click on it to check your status. You will see Outlook communicating with the CAS on ports 80 and 443. Note the URL of the CAS server and create EPA enterprise applications allowing access to the CAS server on ports 80 and 443.

That should do it, right? Well, not really.

In previous Outlook versions (Outlook 2007, 2010 & 2013) you have the option to manually setup and configure an Exchange Account. In the latest Outlook versions (2016/2019 or 365) this option is missing and the manual setup is not available. The setup relies on Autodiscover. Autodiscover greatly simplifies the process of configuring Outlook to communicate with an Exchange server by automatically determining which Exchange server the user’s Mailbox is on and configuring Outlook to communicate with that server. This makes it much easier for end users to configure Outlook, since the only things they need to know are their email address (UPN) and password.

Outlook looks in Active Directory and DNS to find the Autodisover information (autodiscover.xml). However I hadn't allowed any connection to a domain controller or DNS server via Entra Private Access, and it's unlikely any organization would allow that. I had to find a "local" solution that I could control myself. I got some inspiration from Konstantinos at wintips.org

  1. Create your own Autodiscover.xml file
  2. Copy the Autodiscover.xml file to a local folder
  3. Edit the registry to look for Autodiscover.xml in the local folder
  4. Launch Outlook
Create your own Autodiscover.xml file

Edit a standard Autodiscover xml file with details of your CAS server (underlined and in bold below). This should match the CAS that you used for the enterprise applications previously.

<?xml version="1.0" encoding="utf-8" ?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>redirectUrl</Action>
<RedirectUrl>https://cas.yourdomain.local/Autodiscover/Autodiscover.xml</RedirectUrl>
</Account>
</Response>
</Autodiscover>

Copy the Autodiscover.xml file to a local folder


In this case the path is now C:\Autodiscover\Autodiscover.xml

Edit the registry to look for Autodiscover.xml in the local folder

Open Registry Editor and navigate to the following location:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook


Right click on Outlook key and create a New Key with name: Autodiscover

Then select the Autodiscover key and at the right pane create the following values:

yourdomain.local (REG_SZ) with value: C:\AutoDiscover\autodiscover.xml

PreferLocalXML (DWORD) with value: 1

Replace "yourdomain.local" (underlined and in bold above) with your domain name.

Launch Outlook

Now you can launch Outlook and run through the wizard (make sure that the Global Access client is started).


Now the wizard completes successfully.

Outlook is connected to Exchange 2019 on-premises over Entra Private Access.

All that was left to do is to automate the solution using Intune. Using a Win32 app, I copied the Autodiscover.xml file to the local folder and configured the registry.

I hope this helps. Until next time....... 

 

1 comment:

  1. "However I hadn't allowed any connection to a domain controller or DNS server via Entra Private Access, and it's unlikely any organization would allow that"

    Sorry if I'm missing something here Gerry, but isn't that a major selling point of the UDP and private DNS feature in entra private access?

    https://www.youtube.com/watch?v=qdNzvy5U3Sw

    Even if you don't want to allow connections to the DC itself, it sounds like the private DNS feature would resolve your issue?

    ReplyDelete