I am in the process of testing Exchange 2007 to 2013 migration. I have a question regarding Outlook Anywhere settings on Exchange 2013.  Sorry for the long post, question is at bottom.

My current Exchange 2007 server is setup to use Basic Authentication for Outlook Anywhere.  I have many domain joined laptops that frequently leave the internal network.  I have ISA 2006 setup to proxy Outlook anywhere and it works great; when the laptop is on the internal network, Outlook connects via RPC and NTLM as expected.  When the laptop is outside the network, Outlook connects via ISA 2006 using Basic authentication.

I have a Kemp Load Balancer setup to proxy the new Exchange 2013 server, the kemp balancer does handle pre-authentication (basic) just like the ISA 2006 server does.

I am now at the point where Exchange 2013 is installed in the environment and configured (URLs, certificates, DB's, etc).  I have not started to configure co-existence yet so all DNS still points to the Exchange 2007 server.  What I have done though is tested Exchange 2013 creating a mailbox on 2013 and tested operation by modifying HOST file on a client to point to the new Exchange 2013 server.  Outlook 2007 connects successfully to the Exchange 2013 account. 

However, this is where I run into the issue: When I change the HOST file of the test client to point to the Kemp Load Balancer to test operation, Outlook will no longer connect, but instead will provide an endless password prompt!  So I look at the Outlook 2007 Outlook Anywhere settings and it has the Proxy Authentication settings set to NTLM and not basic which explains the issue.  If I change to basic, Outlook can then connect just fine through the Kemp Proxy.

But of course once I simulate the client being back on the internal network by changing the HOST file back to point to the Exchange 2013 server, autodiscover then changes the Outlook Proxy Authentication type back to NTLM!  I would then have to manually change back to Basic when not on the internal network!

TLDR:

My question is this:  How can I setup Exchange 2013 Outlook Anywhere to use NTLM inside the network and Basic Outside the network like is done in Exchange 2007?  Or can you only use one authentication method?

What is confusing me is I can see an Internal Authentication method and an External Auth method in Exchange 2013 outlook anywhere settings but it looks like I can only change External Authentication method.  Outlook 2007 configures itself via Autodiscover to use the Internal settings. 

thanks

Hi

Maybe this link explains it better than i can type it for you:

http://msexchangeguru.com/2013/01/10/e2013-outlook-anywhere/

I have come across that link.  It does not quite apply to my question though.  I need to know if it is possible to have basic outside the network on a domain joined machine and NTLM inside the network on domain joined machine.

In my testing it appears that Outlook is using NTLM inside the network as expected, but it looks like it still tries to use NTLM Outside the network. 

I have set Basic as the external authentication method for Outlook anywhere, but the Outlook 2007 Outlook anywhere settings still shows as the Internal authentication method (which according to the link is normal).  But it does not appear that it will use basic when outside the network and I get never ending username password prompts!

Follow up question: how is exchange determining if a connection is internal or external for OA?  The way I am seeing it is that it should depend on which URL is being used.  But what if internal and external URL is the same?