Outlook Anywhere (RPC over HTTPS) can only be switched on or off on the Exchange servers. Unfortunately, it is not so easy to configure which users are allowed to use Outlook Anywhere. Although access to Active Directory groups can be restricted using Forefront TMG, each client is configured for Outlook Anywhere using Autodiscover. However, this has the disadvantage that users who want to use Outlook offline are permanently prompted to enter their user name and password, as Outlook knows a valid Outlook Anywhere configuration and only Forefront refuses the connection.
On this screenshot you can see that only users who are in the "Outlook Anywhere Users" group get access via Forefront and RPCoverHTTPS.
Nevertheless, Outlook receives the Outlook Anywhere settings via Autodiscover and tries to use them in case of a remote connection
As soon as Outlook then tries to establish a connection, the user name and password are repeatedly requested because Forefront refuses the connection.
To avoid this problem, you should deactivate Outlook Anywhere on all clients that are not allowed to use it. The easiest way to do this is via group policy (GPO), but unfortunately the necessary setting is not included in the standard templates for Office, but is somewhat hidden. So here is a short guide (DO NOT APPLY TO OUTLOOK 2010 AND EXCHANGE 2013)
First download the template with the descriptive name 2426686, which contains the settings for Outlook 2010 and copy it to a domain controller:
Then create a new GPO to disable Outlook Anywhere globally, the GPO will be linked to the domain:
Next, switch to the "Delegation" tab and click on "Advanced"
Now add the corresponding Active Directory group for which Outlook Anywhere should be allowed (in my case, this is the group "DL_Outlook_Anywhere_Users"), then set the check mark for "Apply group policy" to "Deny".
Then edit the GPO and select the item Policies -> Administrative templates under User configuration. The template is now added there
As soon as the template has been added, the "Classic administrative template (ADM)" item becomes visible, where the "RPC/HTTP connection flags" setting can be found
The setting is now activated and set to "No Flags"
Now Outlook Anywhere is deactivated for all users who do not belong to the corresponding Active Directory group (in my case "DL_Outlook_Anywhere_User")
All other users will continue to receive the settings via Autodiscover.