Using Exchange 2013.  I am trying to block Outlook Anywhere from External Access. Easy enough remove the External hostname from the virtual server.  however I did this and users can still connect.  They are not going through a VPN.  The internal URL was using the same name as the external URL.  They were both using mail.company.com.

Should I change the internal URL to use the servername.company.com.  Make sure that this isn't resolvable via external DNS?  My thought is that clients are resolving the mail.company.com since it is in DNS.  This lets them hit the Palo Alto firewall and then once it gets through the Palo Alto it appears as if it is internal traffic.  Is my thinking right on this?

I need to know for sure as this isn't just an environment that I can play around with.

• Edited by Shawn MacArthur1 18 hours 38 minutes ago

Hello,

I suggest you to separate internal and external urls. Change the internal url as servername.domain.com and delete any external url

I did delete the external URL.

What I would do is $null out the externalurl (already done I know), and then remove the external name from DNS. But before you this, the next question is do you allow active-sync/owa externally? 

I can't get rid of the mail.company.com externally as that is what they are using for MX records.

activesync is allowed externally for 3 more weeks but OWA is not allowed.

You do not have to remove the MX records for that (only used for mail anyway), just remove the A record for mail.company.com. But you'll have to wait until activesync is no longer allowed otherwise they would lose AS connectivity.

If the MX records are pointed to a name then the name has to be able to resolve. If the MX records are pointed to an IP then I could remove the A record. They are pointed to a name and don't want to change that.

Duh sorry about that... most of my clients use 3rd party hygiene providers that act as their mail gateways and for some reason I was operating under that assumption here.  the other option is to block port 80 and 443 at the firewall level.  Again, that is going to affect activesync traffic as well.

Actually now that I think about it they are using Mimecast. so their MX records should be pointing there.  this might be doable after we get rid of activesync

Dang it, just found out they are using mail.company.com externally and will continue to do so.

I think what needs to happen is I need to change the internal URL to something like internal.company.com.  Only thing I am worried about with that is that if I change it from mail.company.com to internal.company.com.  How are their Outlook clients going to get reconfigured?  I would be afraid that they would lose connectivity to their CAS servers.

When they relaunch autodiscover would redirect them to the correct site.  Before you do that you will need to get a new certificate that has internal.company.com (unless you're using a wildcard cert or it's already on your SAN Cert.  P.S. if you have available space you can just add that name to it as well) on it to avoid cert prompts once the change has been made.  That might take care of it, but you may also have t block port 443 at the firewall as well.