In this article, we’ll walk through what happens behind the scenes when users access Outlook on the Web (OWA), set up a new Outlook profile, or connect their mobile devices via Exchange ActiveSync. All of these operations go through Exchange using HTTPS, but each one involves its own handshakes, authentication, and routing logic.
Scenarios We’re Covering
- Accessing OWA via browser
- Setting up an Outlook profile (using mail.domain.com)
- Syncing mobile devices via Exchange ActiveSync (EAS)
Key Exchange Components in Play
- Client Access Services (CAS) – Handles authentication and proxies requests to the backend.
- Mailbox Role – Stores the actual mailbox database.
- Autodiscover Service – Helps Outlook and mobile devices figure out how to connect.
- Exchange Web Services (EWS) – Used for calendar access and mailbox functionality.
- Active Directory (AD) – Validates credentials and provides user info.
- Load Balancer (optional) – Helps spread the load across CAS servers.
Protocols & Ports
- HTTPS (443) – Used for almost everything: OWA, EAS, Autodiscover, MAPI over HTTP.
- MAPI over HTTP uses only port 443.
- RPC over HTTP (Outlook Anywhere) – Only used in older versions.
- EAS is not a separate protocol—it’s a set of HTTP extensions over HTTPS.
How Each Scenario Works
1. Outlook on the Web (OWA)
When a user visits https://mail.domain.com/owa:
- DNS Resolution: Browser resolves mail.domain.com to your Exchange CAS or load balancer.
- TCP & TLS Handshake: TCP handshake → TLS handshake (ClientHello, ServerHello, cert validation).
- Authentication: Login page appears (unless using SSO). CAS handles auth (Kerberos, NTLM, or Basic Auth).
- Routing: CAS talks to AD and proxies to the correct Mailbox Server.
- Data Retrieval: Mailbox Server retrieves data and returns via CAS to the browser.
2. Outlook Profile Setup with mail.domain.com
When a user sets up Outlook and types mail.domain.com:
- Autodiscover Triggered: Outlook checks autodiscover endpoints (mail.domain.com, autodiscover.domain.com, SRV).
- DNS and TLS: Same TCP + TLS handshake as OWA.
- Autodiscover Request: Outlook sends XML with user info.
- Authentication: CAS authenticates using AD.
- Autodiscover Response: Returns mailbox server info, URLs for OWA, MAPI, EWS, etc.
- Outlook Connects: Uses MAPI over HTTP to connect to CAS, which proxies to Mailbox Server.
3. Exchange ActiveSync (Mobile Devices)
When setting up a phone or tablet:
- Autodiscover Attempt: Tries autodiscover endpoints.
- Fallback to Direct EAS: If failed, tries /Microsoft-Server-ActiveSync.
- Authentication: Usually Basic Auth (or OAuth/cert-based for modern).
- Request Handling: CAS checks headers, validates and proxies to Mailbox Server.
- Data Sync: Mailbox Server returns data via WBXML; device syncs locally.
How Exchange Knows What You’re Trying to Do
- /owa → Outlook Web App
- /autodiscover/autodiscover.xml → Outlook setup or mobile sync
- /Microsoft-Server-ActiveSync → Mobile sync
- /EWS/Exchange.asmx → Calendar/Outlook functionality
- /mapi → Outlook mailbox sync (MAPI over HTTP)
Tools You Can Use (PowerShell)
To check the configuration:
![]()
![]()
![]()
![]()
Final Summary
Scenario: OWA
What Happens: Browser → DNS → CAS → Auth → Mailbox Server
Scenario: Outlook Setup
What Happens: Outlook → Autodiscover → CAS → MAPI/HTTP
Scenario: Mobile (EAS)
What Happens: Phone → Autodiscover or EAS → CAS → Mailbox
Corrections and Notes
- EAS is not a standalone protocol; it's a Microsoft extension over HTTPS.
- MAPI over HTTP and Outlook Anywhere are different—don’t mix them.
- Exchange 2016 doesn’t need RPC dynamic ports unless legacy coexistence is involved.
- SSL certs must include all services hosted under the namespace (e.g., mail.domain.com, autodiscover.domain.com).