locked
Outlook cannot connect to Exchange 2013 Server in closed network Lab RRS feed

  • Question

  • Hello all...

    I'm stumped at the moment.  I had the requirement to build a closed / isolated network test environment for evaluation and testing of several technologies. 

    Environment Info: It is a virtualized environment for the infrastructure which consists of two DCs, Exchange, FileServer, and McAfee EPO/VSE.  Windows Server is 2012 R2 and Windows Clients are Windows10.  All OS's are patched up to near current (< 90 days).  Exchange server is 2013 cu16.  Outlook client is Office 2013 (base install).

    Problem: "Outlook cannot log on.  Verify you are connected to the network ... Outlook must be online or connected to complete this action."

    Troubleshooting:  Exchange appears to be working just fine.  I have two test users and the admin user that can log into OWA just fine from the same clients that have Outlook installed.  Outlook autodiscover properly populates during Outlook configuration.  I don't see anything in either client or server event viewer that has helped.  It's a flat single subnet network.  Exchange only has the EPO agent (not the VSE agent) installed.  Of my two test clients, only ONE has the EPO/VSE agents installed. The error seems so simple and usually it is a network issue or autodiscover issue, but everything looks good to me.

    Additional Info:  I was given a bundle of GPOs to be used as part of standard policy.  Most related to common sense security practices (locking screen saver, password complexity, auditing policy, disabling dated protocols, renaming default administrator accounts, etc) that I can see.  We also redirect the Desktop & My Documents to the FileServer VM.

    Any help / ideas are greatly appreciated.  For example, is there a better way to get more info from Outlook on WHY it cannot connect?

    Monday, April 24, 2017 3:38 PM

Answers

  • FINALLY SOLVED!

    During my weeks of googling, I had seen a post about a flat subnet in a lab that had the issue of having NO default gateway.  I tried to recreate that in my Lab.  As expected, I got the error and I discovered the "DefConnectOpts" key did not resolve my issue on Outlook 2013.

    I said to myself, if it NEEDS the gateway defined maybe it somehow uses it for some "network test".  I statically defined my IP and gateway as my DC and VOILA!  It worked.  I then configured a dumb VM as the ".1" DHCP gateway and set my client to DHCP and it worked.

    Seriously?  Is this documented anywhere?  Exchange 2013 and Outlook 2013 on a flat, isolated subnet is not supported?  Setting a client to use another IP as a default GW would just unnecessarily spam that IP with traffic.

    After solving this I found another post via google with the same issue on Technet, but they were using Exchange 2016 and Outlook 2016.


    • Edited by Mat W Thursday, May 11, 2017 5:35 PM
    • Marked as answer by Mat W Thursday, May 11, 2017 5:35 PM
    Thursday, May 11, 2017 5:14 PM

All replies

  • "Outlook autodiscover properly populates during Outlook configuration."  How do you know?  Have you run the Test E-mail Autoconfiguration tool in Outlook?  If Autodiscover completes properly are all the services pointed to the correct URLs?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 27, 2017 6:13 AM
  • I've run through each test with Test-OutlookConnectivity and no errors.

    When I run Outlook and it starts to setup the profile, it's finds my name and email address.  I click NEXT and it successfully "Establishing network connection" and "Searching for <email address> settings".  But when it gets to "Logging on to the mail server" it pops up the "Outlook cannot log on ... <snip> ... Outlook must be online or connected to complete this action".  I click OK and it populates the Exchange account properties of Exchange server with the 'GUID@domain' and the mailbox with '=SMTP:<address>' which I believe is correct.

    Thursday, April 27, 2017 3:24 PM
  • Again, how do you know that Autodiscover is returning the correct values?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 27, 2017 11:16 PM
  • Hello,

    To troubleshooting your issue, please check below items:
    1. Ensure all Exchange services working fine.
    2. Run below command to check the server components (by default, ForwardSyncDaemon, ProvisioningRps is not active):
    Get-ServerComponentstate -Identity “servername”
    3. Open IIS manager, then switch to Site, right Default Web Site and open Bindings,
    check the certificate setting for 443 port. Also, 444 port in Exchange Back End.
    Also, check the path for those two sites.
    If you do anything change in IIS, run "IISRESET" to take effect.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 28, 2017 7:08 AM
  • Are you using HTTP or RPC still?Do you have all necessary ports reachable from the client machine?is this client machine also from same isolated network or outside network?The client should be able to reach the CAS urls with 443 port and other dynamic ports like address book(60001/60002)This dynamic ports you need to validate from server side .

    Jayakumar K

    Friday, April 28, 2017 9:51 AM
  • It is one completely flat ClassC network with no other connectivity.  Only the single Exchange 2013 server with Windows10/Office2013 clients.  I've temporarily stopped the 'Windows Firewall' service on the Exchange server to rule that out.

    It's my understanding that "autodiscover" is really just using information from AD for my user to point Outlook to the Exchange server.  I also did replace the default SSL certificates with one signed by my Enterprise CA I configured. 

    Allen, it does say the OabProxy Component is inactive? 

    Friday, April 28, 2017 1:08 PM
  • When I do a 'get-mailbox' for each of the tes tusers, the ExchangeGuid property is the GUID@<domain> in the server box after Outlook setup fails.  Is that the correct value for that field?

    Friday, April 28, 2017 1:49 PM
  • That's fine but it doesn't answer my question.  Repeating,

    Have you run the Test E-mail Autoconfiguration tool in Outlook?  If Autodiscover completes properly are all the services pointed to the correct URLs?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, April 28, 2017 11:34 PM
  • That's fine but it doesn't answer my question.  Repeating,

    Have you run the Test E-mail Autoconfiguration tool in Outlook?  If Autodiscover completes properly are all the services pointed to the correct URLs?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    How can I run the tool in Outlook if Outlook doesn't open?  Are there any other tools I can get to test from the client?  

    As far as I can tell, all URLs are correct.  Everything literally points to "mail.ad.local". 

    The issue seems like Outlook can't connect, but there's no firewall running.  Would the OabProxy service not running affect Outlook connectivity?

    Monday, May 1, 2017 1:14 PM
  • Open Outlook with a new profile that connects to a POP server, even if it is a phony one.  You'll get the icon in the system tray and you can test Autodiscover.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, May 1, 2017 7:43 PM
  • Open Outlook with a new profile that connects to a POP server, even if it is a phony one.  You'll get the icon in the system tray and you can test Autodiscover.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    It won't let me create a dummy POP account... I can't click NEXT w/o populating servernames.  I populate them w/ bogus info and it tries to "Test Account Settings" and will not let me proceed past that screen into the Outlook client.  It will error out and not move past the account info setup screen.
    Monday, May 1, 2017 7:48 PM
  • Ok, on the first screen you can set it up w/o an email account.  I was able to open Outlook and run the tool.  My email address and password, check 'use autodiscover', and then 'Test'.  Comes back a split-second later with no errors.  All URLs look OK.  Based on the results and my issue I have the questions below...

    - Under 'Protocol: Exchange RPC' it says 'Auth Package: Unspecified' ... ?

    - I have three 'Protocol: Exchange HTTP' entries.  1st and 3rd appear to be the "external URL" I configured that will be used later.  The 2nd is the internal URL.  Is that normal?

    Monday, May 1, 2017 8:06 PM
  • I've disabled all the GPOs.  I still cannot get Outlook to open.  In my gut, it feels like some sort of Authentication issue, but I don't see anything wrong other than that OAB proxy component that just doesn't want to work.  Could that be the cause?
    Friday, May 5, 2017 1:05 PM
  • OK, I have corrected the OABproxy component issue. 

    Get-ServerComponentState shows all ACTIVE except ForewardSyncDaemon and ProvisioningRps which I understand to be correct.

    Get-ServerHealth now shows NO unhealthy services.

    Still no change in Outlook Client behaviour...

    Friday, May 5, 2017 7:55 PM
  • Do you configure MAPI over HTTP in your Exchange 2013 server?
    If not, please refer to below link to set it:
    https://technet.microsoft.com/en-us/library/mt634322(v=exchg.160).aspx

    If this issue remain exists, disable MAPI over HTTP in organization and check the result with Outlook anywhere.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 9, 2017 11:49 AM
  • I just spent awhile testing almost every combination of settings of the "Combining MAPI over HTTP configurations and internal or external connections" matrix in the link referenced for MAPIoverHTTP and OA.  It had no affect on Outlook which still fails to connect with the same error.

    Tuesday, May 9, 2017 7:33 PM
  • FINALLY SOLVED!

    During my weeks of googling, I had seen a post about a flat subnet in a lab that had the issue of having NO default gateway.  I tried to recreate that in my Lab.  As expected, I got the error and I discovered the "DefConnectOpts" key did not resolve my issue on Outlook 2013.

    I said to myself, if it NEEDS the gateway defined maybe it somehow uses it for some "network test".  I statically defined my IP and gateway as my DC and VOILA!  It worked.  I then configured a dumb VM as the ".1" DHCP gateway and set my client to DHCP and it worked.

    Seriously?  Is this documented anywhere?  Exchange 2013 and Outlook 2013 on a flat, isolated subnet is not supported?  Setting a client to use another IP as a default GW would just unnecessarily spam that IP with traffic.

    After solving this I found another post via google with the same issue on Technet, but they were using Exchange 2016 and Outlook 2016.


    • Edited by Mat W Thursday, May 11, 2017 5:35 PM
    • Marked as answer by Mat W Thursday, May 11, 2017 5:35 PM
    Thursday, May 11, 2017 5:14 PM
  • Also... if Outlook is smart enough to give you an error when you do not have a Default GW defined.  Shouldn't it also be smart enough to tell you if it performs this test behind the scenes and it's unavailable?

    Sidenote, not ALL default GWs respond to ICMP... so isn't this a bad test?

    Thursday, May 11, 2017 5:51 PM
  • I discussed this issue in this post many moons ago:

    https://blogs.technet.microsoft.com/rmilne/2014/03/27/outlook-unable-to-connect-to-exchange-default-gateway-not-found/

    What is the exact build of Outlook in this lab ?


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 12, 2017 10:31 PM
  • I discussed this issue in this post many moons ago:

    https://blogs.technet.microsoft.com/rmilne/2014/03/27/outlook-unable-to-connect-to-exchange-default-gateway-not-found/

    What is the exact build of Outlook in this lab ?



    Your article was the one that helped me figure out the solution.  I wasn't getting an error that mentioned "no gateway", I simply got the error talking about being unable to connect.   I had a default gateway defined, it was simply unreachable because I had not deployed the router. 

    I thought it was a firewall or authentication issue.  Eventually I thought that if Outlook had to have a Default Gateway defined, maybe it uses it for some connectivity test.  Which still makes no sense in any scenario where you're working in a closed/flat network (as I often do), and that it can give a "no default GW" error but not a "gateway unreachable" error. 

    I tried to recreate the missing Default GW error and fix it with the registry key, but that key did not work.  So I pointed the Default GW at my DC and voila.  Then I tried making a dummy linux VM as my GW and that worked.  So my short term fix is using my DC as my Default GW until I deploy my router.

    Outlook Build is 15.0.4885.1000

    Monday, May 15, 2017 4:19 PM
  • Ah - good stuff :)

    That is a really old build - looks like:

    https://support.microsoft.com/en-us/help/3127975/december-6,-2016,-update-for-outlook-2013-kb3127975

    There was work done on this for OA, and that had to then be repeated for MAPI/HTTP and that will most likely not be in that Outlook build.  Try updating, and see what it does.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, May 15, 2017 4:48 PM
  • Dec 2016 really old?  That's bleeding edge for a lot of what I work with.  :)  I'm happy I could use 2013 vs. 2010 versions for this test environment.

    I will try to get a more recent rollup to test and report back.  Thanks.

    Monday, May 15, 2017 5:03 PM
  • Just tested after applying some patches... Outlook Build 15.0.4927.1001

    Same results...

    Outlook client w/o Default GW = Error about missing a default GW

    Outlook client w/ unreachable Default GW = Error about server being offline/unreachable

    Outlook client pointed at DC as Default GW = Outlook detects & connects just fine

    Monday, May 15, 2017 6:19 PM
  • I just had the same issue and we've been struggling with it for over year - ever since we attempted to add new workstations running Windows 10.  Everything worked fine in Windows 7 with an invalid Gateway IP, and I'm not sure why.  We tried so many things to get the Windows 10 boxes to work - even copying the profile data in the Win 7 box's HKCU hive to the Win 10 box didn't help.  Changing our DHCP server to set the Gateway IP to the network's DC fixed things immediately.

    Another oddity: Now that I've fixed it I can't get it to break again!  When I set a static IP on the workstation and set the Gateway back to an invalid IP, Outlook keeps working!  Very frustrating, and I wish I knew what was going on.

    Tuesday, January 2, 2018 10:46 PM
  • Holy crap you have got to be kidding me MS!

    I've been fighting the same issue Outlook 2013 to Exchange 2016 for MONTHs on two new networks that are offline not connected to anything else.  I always had a GW set to a x.x.x.1 address for future expansion of these networks to new locations but never had a Router or RRAS server setup at that address.  Outlooks stupid CANNOT CONNECT TO EXCHANGE error message doesn't tell you crap about what it's really doing or that it is pining the GATEWAY for no friggin reason.  

    MS what a bunch of $#!^.


    -------------------- Joe O'Bremski

    Thursday, February 15, 2018 1:43 PM
  • THanks so much

    I've spent a couple days and completely blew up and recreated my environment....all because of a default gateway!!

    Thursday, June 14, 2018 1:27 PM