While Outlook 2003 and later clients can use Outlook Anywhere, i.e. RPC over HTTP, using SSL for access to Exchange mailboxes without the use of a VPN client, Entourage clients use WebDAV. With the proper configuration, the same result can be achieved.

The client side configuration is fairly straightforward. In Entourage, go to Tools... Accounts... and open the account you want connected to your Exchange server. It should look something like this:

Entourage 2008 Account Settings

On the advanced settings tab, you can also add the server name and pathname for the public folders OWA virtual directory. Something like this:

Entourage 2008 Account Advanced Settings

On your Internet-facing host running the client access server (CAS) role, it might seem counter-intuitive, but you do not need to enable WebDAV as a web extension service. To view this, open the IIS Manager, expand the local computer, and select the Web Service Extensions folder. The items that are available and allowed or prohibited are shown in the pane on right. Mine look like the image below… yours may be slightly different:

IIS Web Service Extensions settings on the CAS

Next, expand Web Sites and the Default Web Site, and select the Exchange virtual directory folder:

Virtual Directories in CAS IIS Configuration

If you do not have an Exchange virtual directory folder, then open an Exchange Shell, and enter the following command:

New-OwaVirtualDirectory -OwaVersion "Exchange2003or2000" -VirtualDirectoryType mailboxes "Exchange <default web site>"

Next open the properties of the Exchange virtual directory folder, and select the Directory Security tab.

Properties for the Exchange Virtual Directory

In the Secure communications pane, click on the Edit... button. Again, on your Internet-facing CAS host, make absolutely sure that the checkbox labeled Require secure channel (SSL) is checked!

However, if you also have a CAS role running internally on the mailbox server, then make absolutely sure that this checkbox is NOT checked in the IIS configuration for the Exchange virtual directory on the mailbox server! The reason is that the credentials passed to the Internet-facing CAS must be passed on the mailbox server, and this is apparently not possible from one SSL tunnel to another.

When you have completed the setup, your Entourage clients should have full access to Exchange using WebDAV over SSL without need of a VPN connection.