Hello, 

I would like to block the Outlook Web App (2013) externally, should be accessible internal only. I have two Client Access Servers, one facing externally and one facing internally for administration purpose. I have been looking at the options to block the external facing CAS for OWA only. I referred this article: http://blogs.msmvps.com/expta/2013/09/17/how-to-block-owa-2010-and-2013-for-external-users/, it doesn't help me much. Anyone had luck implementing this? 

Thanks! 

You can block OWA to users by set-casmailbox id "mailbox name"-owaenabled:$false

Hello, I didn't want to block for a particular user or for all users. I want to block the Outlook Web App URL itself for external access.

Hello, I didn't want to block for a particular user or for all users. I want to block the Outlook Web App URL itself for external access.

I did this once, and I configured a separate VIP for external access and blocked OWA Access from that level.

I think there's going to be an easier mechanism for this coming later on.  I think this ignite sessions talks aboutit.

https://channel9.msdn.com/events/Ignite/2015/BRK3109

 

On the device that you are using to publish CAS to the Internet, do not allow the /OWA or /ECP paths.

This is dooable on TMG and the various load balancers that feature an APM.

Thanks for sharing the Ignite session. 

Thanks! I am thinking to just change the physical paths for both the OWA and ECP. This would disable the external access to OWA and bring the HTTP 404 error "The resource cannot be found".

Thanks! I am thinking to just change the physical paths for both the OWA and ECP. This would disable the external access to OWA and bring the HTTP 404 error "The resource cannot be found".

That would disable OWA access to it internally as well. If that is all you want to do , then why not simply stop the OWA and ECP app pools on that CAS?

Hi,

Based on my search, I have found no related setting to achieve your goal on exchange side.

Normally, we can use the below command to disable OWA access:

Set-CASMailbox user@contoso.com -OWAEnabled $false

According to your requirements, we have to use ISA/TMG to filter the OWA requests.

I suggest you can refer to the below blog to have a test:

http://blogs.technet.com/b/messaging_with_communications/archive/2011/05/02/how-to-block-owa-for-external-users.aspx  

Regards,

David 

• Edited by David Wang_Microsoft contingent staff 4 hours 37 minutes ago

Hi,

Based on my search, I have found no related setting to achieve your goal on exchange side.

Normally, we can use the below command to disable OWA access:

Set-CASMailbox user@contoso.com -OWAEnabled $false

According to your requirements, we have to use ISA/TMG to filter the OWA requests.

I suggest you can refer to the below blog to have a test:

http://blogs.technet.com/b/messaging_with_communications/archive/2011/05/02/how-to-block-owa-for-external-users.aspx  

Regards,

David 

• Edited by David Wang_Microsoft contingent staff Tuesday, September 01, 2015 2:51 AM
• Proposed as answer by David Wang_Microsoft contingent staff 5 hours 50 minutes ago

Hi,

Based on my search, I have found no related setting to achieve your goal on exchange side.

Normally, we can use the below command to disable OWA access:

Set-CASMailbox user@contoso.com -OWAEnabled $false

According to your requirements, we have to use ISA/TMG to filter the OWA requests.

I suggest you can refer to the below blog to have a test:

http://blogs.technet.com/b/messaging_with_communications/archive/2011/05/02/how-to-block-owa-for-external-users.aspx  

Regards,

David 

• Edited by David Wang_Microsoft contingent staff Tuesday, September 01, 2015 2:51 AM
• Proposed as answer by David Wang_Microsoft contingent staff Saturday, September 05, 2015 1:41 AM

Thanks! I have another CAS server that is hosted internally, so users will be able to access the OWA internally without any issues.