Disabling Outlook Anywhere for External Users with Exchange 2013

For security reasons we need to disable Outlook Anywhere for our external Exchange 2013 users.

Since Exchange 2013 explicitly uses Outlook Anywhere for internal and external Outlook connections using "Set-CASMailbox -id <user> -MAPIBlockOutlookRpcHttp:$True" is not an option as it will break all Outlook connections.  Also, nulling out the external Outlook Anywhere hostname does not seem to work since we don't use ambiguous namespaces for internal and external connections.

We are looking into the option of totally disabling our external autodiscover setting, but I believe if the user still knows the server information they will be able to make a connection anyway, plus we would like to use autodiscover for ActiveSync.

Any help on this would be greatly appreciated.

September 3rd, 2013 7:19pm

Funny. I was just thinking about this today.  When you say ambiguous name spaces, I think you really mean that you are using split-dns, yes?

As far as I know, the only way to accomplish this is to ensure the internal Outlook Anywhere hostname is not resolvable externally.

Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2013 9:31pm

That makes sense.  To make that change, is it as simple as adding a new SAN to the cert, adding a new DNS record internally to match the SAN, and updating the Outlook Anywhere internal (new SAN) and external (null) hostname in ECP?
September 4th, 2013 3:35pm

Yes. Assuming you are requiring SSL, add --for example-- internal.domain.com to the cert, then set the internal Outlook Anywhere hostname to internal.domain.com, then set the DNS entry to internal.domain.com to the VIP of whatever internal clients connect to.

Finally, ensure internal.domain.com is not resolvable externally in DNS.

Free Windows Admin Tool Kit Click here and download it now
September 4th, 2013 5:38pm

In the original question though, he said that he wanted to be able to keep ActiveSync working, just block Outlook.  If you set all your external DNS entries to internal addresses, won't that break ActiveSync?
March 2nd, 2014 2:44pm

Dear Dhagel,

I have a same requirement, any update you got for this? Please share me

Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2015 4:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics