The Exchange server is 2007 with sp1. All clients use Outlook 2010. No problem while the clients are connected to internal network (that is, inside of the corporate firewall). The Firewall is ISA 2006. VPN clients also no problem. While connecting remotely through the Internet, and when doing these: 1. Reply All 2. Accept appointment invitation and click Send 3. Create a new e-mail and send to anyone who the sender has never sent before, when click on Send Outlook produces this error: "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action." If just doing Reply, there is no problem. If create a new e-mail and send to anyone which the sender has sent before using Outlook, it is okay. There are a lot of articles if I Goolge for this error, but I haven't come across one that is "Inside can, Outside cannot, and only to certain functions" like what I described. On ISA server, Outlook Anywhere is published, is this warning the cause? Can anyone enlightened me the right way to start figure out what configuration need to be checked and rectified? Valuable skills are not learned, learned skills aren't valuable.

On Wed, 28 Dec 2011 05:25:37 +0000, SingChung wrote: > > >The Exchange server is 2007 with sp1. All clients use Outlook 2010. No problem while the clients are connected to internal network (that is, inside of the corporate firewall). The Firewall is ISA 2006. VPN clients also no problem. While connecting remotely through the Internet, and when doing these: > >1. Reply All > >2. Accept appointment invitation and click Send > >3. Create a new e-mail and send to anyone who the sender has never sent before, when click on Send > >Outlook produces this error: > >"The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action." > >If just doing Reply, there is no problem. If create a new e-mail and send to anyone which the sender has sent before using Outlook, it is okay. > >There are a lot of articles if I Goolge for this error, but I haven't come across one that is "Inside can, Outside cannot, and only to certain functions" like what I described. > >On ISA server, Outlook Anywhere is published, is this warning the cause? > >Can anyone enlightened me the right way to start figure out what configuration need to be checked and rectified? You might want to visit https://testexchangeconnectivity.com and run the tests available there. The "Certificate" value in your screenshot look odd, though. That should be the CN name on the cert and "com" should probably be something like "owa.domain.com". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks. The results from Remote Connectivity Analyzer: It shows that autodiscover is not published to external. Well that's a good finding, so the Exchange Server implementator had not published the Autodiscover to external. However since all the Outlook clients are configured manually, I believe autodiscover is not required. Clients are configured using Microsoft Exchange Proxy, with Basic authentication. Yesterday I checked with some users and found that this problem only happen to Outlook clients. Staff who use iPad and Blackberry do not have this problem. The test result also says 443 is not opened on the host, that is quite strange as the Firewall Rule for Outlook Anywhere specifically opens up 443. Also if 443 is not opened how can Outlook Anywhere do the Reply and send mail correctly (only have problem in Reply All and send new mail to person who Outlook has no record yet)? In what ways is the connectivity difference when Outlook do Reply vs Reply All?Valuable skills are not learned, learned skills aren't valuable.

Hi SingChung, I am suspecting the issue is related to OAB file, which is not updated due to Autodiscover issue. I would suggest you run the problematic client in Online mode and then test again to see if the issue continues. note: you might encounter performance issue. Just ignore it and continues the test. Besides, move the affected user inside the firewall, download OAB (client send/receive and then select download address book), then move it out and thest again to see if the issue reoccurs. If the above test finishes without error, we may confirm the issue is caused by OAB. And you may follow the steps below to troubleshoot this issue: Add an A record in your external DNS and point to your CAS server's external IP address (or the firewall). The record should match your SMTP suffix. For example, your email address is user@contoso.com, then add a record of https://contoso.com/autodiscover/autodiscover.xml. Special the external OAB url. refer to: http://technet.microsoft.com/en-us/library/bb201695.aspx. Note that the name and the certificate should be matched. Hope it is helpful.Fiona Liao TechNet Community Support

On Thu, 29 Dec 2011 02:55:02 +0000, SingChung wrote: >It shows that autodiscover is not published to external. Well that's a good finding, so the Exchange Server implementator had not published the Autodiscover to external. However since all the Outlook clients are configured manually, I believe autodiscover is not required. Clients are configured using Microsoft Exchange Proxy, with Basic authentication. I'm not sure what a "Microsft Exchange Proxy" is. Do you mean ISA 2006? If so, you've already conveyed that information. >Yesterday I checked with some users and found that this problem only happen to Outlook clients. Staff who use iPad and Blackberry do not have this problem. Blackberry would use either Blackberry Enterprise Server, POP3, IMAP4, or their connection to OWA. iPad (and other ActiveSync devices) use a different URL (or they're using POP/IMAP). Yu'll probably find that OWA users don't experience the problem, either. >The test result also says 443 is not opened on the host, The only place I see "443 not working" is in the text you entered. The onine test says port 80 isn't accessible. The tests for SSL (port 443) all work except for the CN of the certificate which appears to contain only the "DC" components and those may be reversed (i.e. with "com" placed before the "domain"). >that is quite strange as the Firewall Rule for Outlook Anywhere specifically opens up 443. Also if 443 is not opened how can Outlook Anywhere do the Reply and send mail correctly (only have problem in Reply All and send new mail to person who Outlook has no record yet)? In what ways is the connectivity difference when Outlook do Reply vs Reply All? There shouldn't be any dfference except for the set of recipients the reply would go to. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thank you. I was told the issue with OAB has been there since the day they upgrade Exchange from 2003 to 2007. I constantly have to move my notebook in and out of the corporate network, so whenver I am connected inside, I am okay. While connected outside, I always face the "Outlook must be online or connected" error. So, what I normally do is to use Windows Live mail to send if I have not send to that e-mail address before in Outlook. When I do a Download Address Book, I got the error "Task singchung@xxxxxxx.com reported error (0x8004010F): The operaiton failed. An object cannot be found. It seems that the "An object cannot be found" error is related to misbehaviour of OAB, and the Reply All? Valuable skills are not learned, learned skills aren't valuable.

Rich, In Outlook 2010, in Account Settings, Server Settings, More Settings, General, under Outlook Anywhere, Connect to Microsoft Exchange using HTTP, click on the button "Exchange Proxy Settings", under "Use this URL to connect to my proxy server for Exchange", here we use the external DNS name of the exchange server. There is no Blackberry Enterprise Server configured, POP3 and IMAP4 are not enabled on Exchange. In the Remote Connectivity Analyzer, under the testing RPC/HTTP connectivity, it says "The specified port is either blocked, not listening or not producing the expected response". Are you able to see the image file I uploaded in the post (maybe some browser not supporting?)? Valuable skills are not learned, learned skills aren't valuable.

Hi there, When you do all these, Reply all, accept appointment invitation and click send, create a new email with an new sender, Outlook are trying to resolve the name. What's why I am suspecting it is related to OAB issue. Fiona Liao TechNet Community Support

Thanks. So I have to resolve the "An Object cannot be found" issue of OAB. Since all the Outlook clients are experiencing the same problem, the problem must be on Exchange server, but why only if the clients are outside of the office network, outside of corporate firewall? Is it also related to ISA? The "An object cannot be found" error occured when the clients are directly connected 'online' in the corporate network.Valuable skills are not learned, learned skills aren't valuable.

Outlook Anywhere use External OAB url to download OAB, it is different from internal clients.Fiona Liao TechNet Community Support

Oh! Any idea how to resolve the "An object cannot be found" when downloading OAB? The problem occured right after the Exchange 2003 was migrated to 2007. This means it occured to Outlook 2007 as well, now all the Outlook clients are using 2010.Valuable skills are not learned, learned skills aren't valuable.

...If the above test finishes without error, we may confirm the issue is caused by OAB. And you may follow the steps below to troubleshoot this issue: Add an A record in your external DNS and point to your CAS server's external IP address (or the firewall). The record should match your SMTP suffix. For example, your email address is user@contoso.com, then add a record of https://contoso.com/autodiscover/autodiscover.xml. Special the external OAB url. refer to: http://technet.microsoft.com/en-us/library/bb201695.aspx. Note that the name and the certificate should be matched. Hope it is helpful. Outlook 2007 uses Autodiscover to get OAB information. so we need to fix external autodiscover issue:Fiona Liao TechNet Community Support

I found that e-mail recall is also affected - The moment I do Recall while outside the office, I got "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action". So, there is no way to fix the "An object cannot be found" error? I must fix the external autodiscover issue in order to fix the internal "An object cannot be found" issue????Valuable skills are not learned, learned skills aren't valuable.

Fiona, I found that A record cannot has value of https://contoso.com/autodiscover/autodiscover.xml, it can has value like "autodiscover". However, the autodiscover A record is already inside my DNS and is correctly configured (pointing to the correct IP address). Thus, I believe problem is something else. Lost...Valuable skills are not learned, learned skills aren't valuable.

Hi SingChung, Thanks for your update. You are correct, Outlook test the predefinded urls including the one you mentioned to try to contact autodiscover service. Can you test the URL https://autodiscover.contoso.com/autodiscover/autodiscover.xml in the problematic client outside your network? The expected result is error code 600. Thanks. If there is no problem, run Test Email AutoConfiguration on the probleamtic client outside your network and capture the screenshot for Log Tab and Result tab. Thanks. Fiona Liao TechNet Community Support

Fiona, I got error code 403 Forbidden when I used IE9 to browse to https://autodiscover.xxxxxxxxxxxxxxxxx.com/autodiscover/autodiscover.xml. Is this the right way (using IE9) to test?Valuable skills are not learned, learned skills aren't valuable.

IE9 is supported by Exchange 2007 SP3. I would suggest you verify the permission settings on /autodiscover and /ews virtual directories the CAS server. Refer to: http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx Run IISreset /noforce to apply the change. After the autodiscover url is available, test the EWS url returned by Test Email AutoConfuguration in Outlook. If the issue continues, please check the IIS log for more detail information. Thanks. Fiona Liao TechNet Community Support

Fiona, Thanks. The permission and authentication settings seem correct. On Autodiscover virtual directory, the permissions: Administrators Full Control, Authentication Users Read/Read & Execute/List Folder Contents, System Full Control. The Authentication: Integrated Windows and Basic. On EWS, the permissions: Administrators Full Control, Authentication users Read, System Full Contorl. The Authentication: Integrated Windows. These authentication settings are the default as described in the blog link your provided (http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx). When I connected my notebook internally, and browse to https://autodiscover.avantustraining.com/autodiscover/autodiscover.xml, I got an authentication prompt. After entering my domain username and password, it display the xml file: <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> When I connected my notebook externally, and browse to the same link, there was no authentication prompt, but the error 403 Forbidden. Valuable skills are not learned, learned skills aren't valuable.

Did you allow the autodiscover url and the EWS url on your firewall ISA 2006? Refer to http://technet.microsoft.com/en-us/library/bb794751.aspx. 403 means alot, including certificate related error. see http://support.microsoft.com/kb/943891. I assume your Exchange 2007 is running in Windows 2008, then please find the detaile code in IIS log in dolder c:\inetpub\logs\logfiles\W3SVC1. Thanks. Fiona Liao TechNet Community Support

Fiona, The Exchange 2007 is running on Windows 2003. I tried to locate log files in c:\inetpub but none found. I will double-check rules on ISA 2006. If ISA blocks it why should the browser says forbidden?Valuable skills are not learned, learned skills aren't valuable.

Hi SingChung, The IIS log files by default are located at %windir%\system32\Logfiles\W3SVC1 in Windows 2003server. If the ISA blocks the autodiscover access, there should be a record in the ISA server.Fiona Liao TechNet Community Support

Fiona, There is no specific rule about allowing autodiscover. What I notice is it is inside the Outlook Anywhere rule, the paths /autodiscover/ and /ews/ are included, is it sufficient? So far the IIS log is capturing information only till 9am this morning (8 hours late?), also I can't find any information about requrest coming from external (is it normal?). What are these records mean? 2012-01-03 09:21:10 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.102 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 403 4 64 2012-01-03 09:21:13 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.1 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 403 4 5 2012-01-03 09:21:32 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.151 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 403 4 5 2012-01-03 09:21:35 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.99 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6106;+Pro) 403 4 5 2012-01-03 09:21:37 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.90 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.5128;+Pro) 403 4 5 2012-01-03 09:37:17 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.102 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 403 4 64 2012-01-03 09:37:19 W3SVC1 10.1.1.25 GET /autodiscover/autodiscover.xml - 80 - 10.1.1.64 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 403 4 5 2012-01-03 09:36:47 W3SVC1 10.1.1.25 POST /autodiscover/autodiscover.xml - 443 - 10.1.1.99 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6106;+Pro) 401 2 64 2012-01-03 09:36:47 W3SVC1 10.1.1.25 POST /Autodiscover/Autodiscover.xml - 443 - 10.1.1.162 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6106;+Pro) 401 2 64 2012-01-03 09:36:47 W3SVC1 10.1.1.25 POST /Autodiscover/Autodiscover.xml - 443 - 10.1.1.99 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6106;+Pro) 401 2 64 2012-01-03 09:36:47 W3SVC1 10.1.1.25 POST /autodiscover/autodiscover.xml - 443 - 10.1.1.64 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 401 2 64 2012-01-03 09:36:47 W3SVC1 10.1.1.25 POST /Autodiscover/Autodiscover.xml - 443 - 10.1.1.97 Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.6112;+Pro) 401 2 64Valuable skills are not learned, learned skills aren't valuable.

The time recorded in IIS log is based on the Greenwich Mean Time, so you need to add your time zone. You may find the explaination in the very first line in the IIS log for each column, including the server IP address, the client IP address, the client type (office 14 means office 2010) and the request result. The record does not contains an external access record, there is no external ip address so I am suspecting the external access was blocked by ISA. Besides, the error code is 403.4-SSL required. This may occur if you did not enable certificate require. Fiona Liao TechNet Community Support

Fiona, I ISA 2006, after I enabled the logging, I could see that the connection to internal Exchange server was closed when I attempted to connect from external to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml. What made a little modification to a Firewall Policy, in the "Outlook Anywhere" policy, I added a new Public Name and Apply the rule. After that, I did testing using Outlook to connect to external network, then did a Reply All, a mail recall, a sent to recipient not yet known to my Outlook, the error "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action." did not appear. However my Outlook now become "trying to connect", then ends with "disconnected". This might be temporary issue but might be another problem created after I modified the Firewall Policy. Did I did something wrong (on the ISA)? Also when connecting to external network and connect to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml, I got ISA authentication screen. After I supplied my domain username and password, I could see the error 600. Is this expected? Valuable skills are not learned, learned skills aren't valuable.

Hi, Thanks for the update. It seems the ISA is not setup properly. You might need to enable FBA on ISA. We are handling cases based on speciality. The guide document is http://technet.microsoft.com/en-us/library/bb794751.aspx to publish Outlook Anywhere via ISA 2006. However, for the detailed configuration in ISA, I'd suggest you pose the question in ISA forum here http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/threads. Your understanding would be appreciated. Fiona Liao TechNet Community Support

Hi, Thanks for the update. It seems the ISA is not setup properly. You might need to enable FBA on ISA. We are handling cases based on speciality. The guide document is http://technet.microsoft.com/en-us/library/bb794751.aspx to publish Outlook Anywhere via ISA 2006. However, for the detailed configuration in ISA, I'd suggest you pose the question in ISA forum here http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/threads. Your understanding would be appreciated. Fiona Liao TechNet Community Support

Any update? I assume the issue is resolved. Thanks.Fiona Liao TechNet Community Support

Fiona, The "Outlook must be online or connected" problem has been resolved, policy in ISA 2006 is the cause. The "An object cannot be found" problem is not resolved. I am upgrading the Exchange 2007 to Exchange 2010. I had just finished installation of Exchange 2010 on a new server. I just wonder if the "An object cannot be found" will be inherited (carried over) or will die with my Exchange 2007 server when it decommissions.Valuable skills are not learned, learned skills aren't valuable.

Hi SingChung, Exchange 2010 and Outlook 2010 still use Web-based services to retrieve information like OAB downloading. It is very possible the problem continues after moving to Exchange 2010. A good news is that in Exchange 2010 system, Outlook still use the same external URL of Autodiscover url. So I'd suggest you still test the URL and verify the IIS log. Fiona Liao TechNet Community Support

Here is the update: When I test the external URL https://autodiscover.avantustraining.com/autodiscover/autodiscover.xml, I was redirect to ISA logon page. It seems the ISA did not setup properly.Fiona Liao TechNet Community Support

Fiona, Please remove the real domain name from your reply. I mentioned about this prompt in my post, and I do not know if that is the correct behavior or not. I will get the error 600 after I am being authenticated (Windows authentication), that is after I entered username and password at the ISA prompt. You mean there should be no authentication (anonymous access)?Valuable skills are not learned, learned skills aren't valuable.

Fiona, The Outlook Anywhere rule I modified still uses "Authentication Users". That is the reason for ISA issuing the authentication prompt. I read that I need sp1 of ISA 2006 to allow me to change this to "All Users", else I need to create a separate rule for Autodiscover. So, I created a separate rule just for Autodiscover, but this time I got a certificate warning when accessing the autodiscover.xml site and then error 500 Internal Server Error. The Target principal name is incorrect (-2146893022) after I clicked continue.Valuable skills are not learned, learned skills aren't valuable.

Here is the update: When I test the external URL https://autodiscover.xxxx.com/autodiscover/autodiscover.xml, I was redirect to ISA logon page. It seems the ISA did not setup properly. Fiona Liao TechNet Community Support

Hi SingChung, Sorry for my overlook, I have already changed the real name. The Error code 600 is expected result as I mentioned before. The problem is that we should not have ISA logon page while accessing Autodiscover URL. What we receive in IE is the same in Outlook. However, Outlook could not handle the ISA logon page, that's why Autodiscover failed in Outlook. Depending on different provider, the error message might mean in different. May I know where did you receive this error message? External Outlook? If yes, we need to verify the certificate installed in the CAS and make sure the name in "Issue to" matches the name we used for Outlook Anywhere URL. Regarding the ISA rule, I am not familar with it, so I'd suggest you pose this in http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/threads. Or contact Microsoft Customer Support Service for assistance so that this problem can be resolved efficiently. to obtain the TL number, please refer to: http://support.microsoft.com/contactus http://support.microsoft.com/Fiona Liao TechNet Community Support

Note that, to avoid any confuation, I would suggest you fix the ISA logon page first. And then try again to see if the certificate warning continues.Fiona Liao TechNet Community Support

Fiona, I now understand the problem behind the certificate error, it is because on the To tab, the publish site name must match the cn of the certificate. I have now 2 rules in ISA 2006, one for Outlook Anywhere and one for Autodiscover. The Autodiscover still gives me the ISA logon prompt. However I now have the "Outlook must be online or connected" problem solved. While still looking for a resolution for autodiscover prompting ISA logon, this problem is not that critical now. I continue with my Exchange migration. My bosses had adviced me to upgrade ISA 2006 to FF TMG 2010. I notice problem in my newly created Exchange 2010 when running the health check, it is complaining about admin group and the Exchange 2003 server that has already been decommissioned (when the last Exchange administrator migrated Exchange 2003 to Exchange 2007 in year 2008), I will post this problem in another thread. Valuable skills are not learned, learned skills aren't valuable.

Thanks for your understanding. I hope the issue will be resolved soon. Fiona Liao TechNet Community Support