Hi, We have a phones that are not owned by the company that are accessing the corporate email via OWA like BlackBerries, Droids, etc... I was wondering if someone could address the following questions for me? - Is there some sort of tool that we can put in place, costed or free, that will enable us to track this access and/or disable it? - Does this HTTP/OWA phone access work the same way in Exchange 2010 as it does in Exchange 2003? - What sort of load does this put on the OWA server and the Exchange server?

usually mobile phones access exchange via active-sync, bb uses its own server so you can track on it how many are accessing exchange however bb does not use owa to access exchange. in EMC you can disable access access to OWA on per mailbox basisWith kind regards Krystian Zieja http://www.projectnenvision.com Follow me on twitter My Blog

I am not targeting specifically BB. Basically the problem is that more users are accessing the company email with their own phone devices via HTTP/OWA. For example http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03087 http://www.google.com/support/forum/p/android/thread?tid=2d6285c57427a425&hl=en We can't block them from connecting their phones to the company email because they ALL have access to OWA and the only way to stop the phone will be by removing the users OWA access, which we can't do. That being said, it is my understanding that this is going to be the same case in Exchange 2010? In other words, any user with OWA access will be able to connect their phone to the Exchange server and we will not have any way to prevent this from happening unless we do not give them access to the company webmail. If so, the same question with Exchange 2010 is the same is there any way to control the OWA phone access? Any way to know about who is connecting via phone and OWA either with third party tool or native Exchange tools other than looking at the IIS logs? I know that phone access via activesync can be monitored but what about phone access via OWA/HTTP? How do you easiliy monitor their access without having to drill through the IIS Logs?

Hi If you use Exchange 2007/2010 you can run the following shell command to show which users are connecting using activesync: Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} | Get-Mailbox | foreach { Get-ActiveSyncDeviceStatistics -Mailbox $_} | ft Identity,LastSuccessSync -AutoSize Disable activesync feature: set-CasMailbox -identity Alias -ActiveSyncEnabled $false Bulk disabling: import-csv users.csv | foreach { set-casMailbox -Identity $_Alias -ActiveSyncEnabled $false } The users.csv should look like that: Alias User1 User2 Hope that helps Regards PanoPano Boschung, PageUp AG

Thanks. I was aware of the activesync powershell command. But my target is phones connecting to Exchange through OWA. Anything to said about that?

Perhaps you could put something either in IIS or in the proxy/firewall that inspects the User-Agent string of the browser and only lets "desktop" web browsers get to OWA. That's really not an Exchange thing and I'm not sure how well it would work out. Is there a reason to care whether they are using a computer or a phone to access the web mail? Or do these mobile clients use OWA to get in but then download and store data on the phone? (I can see how that would be a concern.)

We are going to be only supporting ActiveSync once we move to Exchange 2010. With Exchange 2010 we want to apply basic security polcies to the phones and we only want to allow to connect to Exchange the phones that are connecting through AS and getting the policies otherwise we don't want the phone to connect to the email system. If we push security policies through EX and NO policies for the OWA connection the users are going to continue to use OWA in order to avoid the security policies. Any ideas?

Also putting something is the IIS server won't prevent them from connecting unless the technology behind this type of connection has access to the OWA site like a regular HTTP connection. I am not targeting connecting to OWA via the phone browser but direct connection like this one: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03087 http://www.google.com/support/forum/p/android/thread?tid=2d6285c57427a425&hl=en

On Tue, 24 May 2011 14:46:24 +0000, post wrote: > > >I am not targeting specifically BB. Basically the problem is that more users are accessing the company email with their own phone devices via HTTP/OWA. > >For example > >http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03087 > >http://www.google.com/support/forum/p/android/thread?tid=2d6285c57427a425&hl=en > >We can't block them from connecting their phones to the company email because they ALL have access to OWA and the only way to stop the phone will be by removing the users OWA access, which we can't do. > >That being said, it is my understanding that this is going to be the same case in Exchange 2010? In other words, any user with OWA access will be able to connect their phone to the Exchange server and we will not have any way to prevent this from happening unless we do not give them access to the company webmail. If so, the same question with Exchange 2010 is the same is there any way to control the OWA phone access? Any way to know about who is connecting via phone and OWA either with third party tool or native Exchange tools other than looking at the IIS logs? > >I know that phone access via activesync can be monitored but what about phone access via OWA/HTTP? How do you easiliy monitor their access without having to drill through the IIS Logs? One way to deal with that would be to filter the HTTP traffic based on the information in the HTTP packets that identify the version of the browser. Sure, you could probably get the phone to impersonate a different browser version, but not a lot of people would do that. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi post, AS far as I know, Exchange don’t have the function as your required. maybe you can use other third partly tool achieve the goal. You also can use this way to have a try: 1. Find out all the IP addresses which are using by the phones . 2. Check the IIS log, which match the IP addresses you collected, this may access from phone. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I wanted to post this I while ago but I have been really busy. To wrap this up...this is the scenario I am concerned about. 1.) Users with their own phones connect to OWA 2.) The email is downloaded to their phones and cached in the phone. 3.) The phone gets stoled or is lost and the emails are in the phone with no password protection or any way remotely wipe the device. 4.) The same user gets an iPad/Android Tablet and they connect the tablet trough OWA as well so now we have the same problem but with a tablet which makes the problem twice as dificult to control. Now you bring AS to the company and you tell them to switch from OWA to AS whitout disabling OWA and I am 100% positive that they will not switch to anything new unless the old access (OWA through phone) is discontinued. So the BIG question is HOW do you control this? How do you block phones/tablets etc. from accessing WebApp in Exchange 2010? I hope I was clear enough with my post. Thank you!

Rich, I was looking at your post One way to deal with that would be to filter the HTTP traffic based on the information in the HTTP packets that identify the version of the browser. Sure, you could probably get the phone to impersonate a different browser version, but not a lot of people would do that. -- The users are not accessing OWA via their phone browsers instead they are configuring the phone email client to connect to OWA, but I understand that the mechanisim behind is HTTPs to OWA. The question is how and where could you filter the HTTP traffic based on packet that identify the version of the browser? Would this block the phone/tablet email client from accessing OWA? How are is everyone out there dealing with this problem? We don't mind purchasing a 3rd party application to mitigate this but I haven't been able to find anything to fill the gap. Any thoughts?

Post - I take it from your last message they are connecting via Outlook Anywhere (RPC over HTTP) is this correct? If so, you can manage this from the set-casmailbox command. set-casmailbox -identity <user> -mapiblockoutlookrpchttp $true This should keep them from using their mail clients on the phones to connect.

On Wed, 1 Jun 2011 15:01:40 +0000, post wrote: >>I was looking at your post One way to deal with that would be to filter the HTTP traffic based on the information in the HTTP packets that identify the version of the browser. Sure, you could probably get the phone to impersonate a different browser version, but not a lot of people would do that. -- >The users are not accessing OWA via their phone browsers instead they are configuring the phone email client to connect to OWA, OWA is OWA. I'm not sure I understand the distinction. >but I understand that the mechanisim behind is HTTPs to OWA. Well, RPC-over-HTTPS is not OWA. It's quite different, if that's what you mean by HTTPS. OTOH, if you mean just HTTPS then it's still using OWA and they're still using a browser. >The question is how and where could you filter the HTTP traffic based on packet that identify the version of the browser? You could do it in ISA or TMG, or you could use URLScan (I think . . . it''s been a long time since I've used that). >Would this block the phone/tablet email client from accessing OWA? Yes, it would. It may, depending on how you do it, prevent them from accessing any web sites inside your network. :-) >How are is everyone out there dealing with this problem? We don't mind purchasing a 3rd party application to mitigate this but I haven't been able to find anything to fill the gap. Any thoughts? If they're using OWA they aren't saving copies of e-mail on the device. HTTPS shouldn't cache a copy of the web page on the device, either. You can configure OWA to render an image of attachments instead of downloading the attachment for viewing, too. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Z A K No we are not using HTTP/RPC the users The users connect to OWA through the phone email client (BIS) http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03087 http://www.google.com/support/forum/p/android/thread?tid=2d6285c57427a425&hl=en Rich, OWA is OWA. I'm not sure I understand the distinction. I understand but I am not sure if connecting through the phone email client works the same way. If they're using OWA they aren't saving copies of e-mail on the device. HTTPS shouldn't cache a copy of the web page on the device, either. You can configure OWA to render an image of attachments instead of downloading the attachment for viewing, too. Yes, the emails are kept in the phone. This is a known security issue. Have you ever tried to configure your phone to connect via BIS? Or direclty to OWA? "You can configure OWA to render an image of attachments instead of downloading the attachment for viewing, too." I don't quite understand this can you please clarify? That being said, so far this is the best way that I have found to prevent this from happening is described in this article. http://www.indepthdefense.com/2008/04/blocking-blackberry-from-accessing-owa.html

On Thu, 2 Jun 2011 12:36:42 +0000, post wrote: >Z A K > >No we are not using HTTP/RPC the users > >The users connect to OWA through the phone email client (BIS) > >http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB03087 > >http://www.google.com/support/forum/p/android/thread?tid=2d6285c57427a425&hl=en > >Rich, OWA is OWA. I'm not sure I understand the distinction. > >I understand but I am not sure if connecting through the phone email client works the same way. If they're using OWA they aren't saving copies of e-mail on the device. HTTPS shouldn't cache a copy of the web page on the device, either. You can configure OWA to render an image of attachments instead of downloading the attachment for viewing, too. > >Yes, the emails are kept in the phone. This is a known security issue. Have you ever tried to configure your phone to connect via BIS? Or direclty to OWA? Ahhh . . . now you're getting down to specifics instead of the fuzzy "phone email". Your problem is not with OWA or the browser on "a phone", it's a problem with RIM and BIS that uses OWA to send and receive mail but makes a copy of the message on the Blackberry. Have I ever used OWA from a phone? Not in a long time. The constant scrolling makes it a very unpleasant experience. >"You can configure OWA to render an image of attachments instead of downloading the attachment for viewing, too." > >I don't quite understand this can you please clarify? The "web-ready" attachment control is what you're looking for: http://www.petri.co.il/control-exchange-server-2007-attachments-through-owa-part-one.htm >That being said, so far this is the best way that I have found to prevent this from happening is described in this article. > >http://www.indepthdefense.com/2008/04/blocking-blackberry-from-accessing-owa.html The BIS uses, I believe, Exchange Web Services (EWS). I'll stick with my earlier recommendation to use ISA or TMG to deal with this: http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx Of course, simply using ISA or TMG and Forms Based Authentication will stop BIS -- at least for now. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, Based on my research, the only way I know is using IIS log to check how many phones are connecting to Exchange. If you don’t want user can access OWA through BIS, you can use firewall rule to achieve the goal. Here are some similar threads for you: Blackberry users receiving Corporate email when not on BESX Server http://supportforums.blackberry.com/t5/BlackBerry-Professional-Software/Solved-Blackberry-users-receiving-Corporate-email-when-not-on/td-p/985699 Policy to Block OWA Mail Access http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Solution/Policy-to-Block-OWA-Mail-Access/td-p/218632 Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, I have seen posts about blocking the IP for blackberries but how do we manage the other devices like Droids Phones, Droid Tablets, Iphones and Ipads? Do you have any suggestion?

I have found that diabling the Mobile access features they can't get access. I have disabled the following: Outlook Mobile Acess User Initiated Synchronization Up to date Notifications I know they are using "webmail.domain.com" in order to configure the phone. No /owa or https:// I have tried this myself and it doesn't work. What are the implications of disabling Mobile Access? It is my understanding that by doing doing this AS will not work, however if we want AS to work for a particular user then he will be able to connect any other mobile devices using the method that I have specified above. So he will have a company AS device but he might be using other devices to get local email and we will not know. Summarizing: Is this a real issue? In other words I am seen that unauthorized devices (iphones, bb, tablets, droids, etc.) can OWA and localy cache coporate email. What are the options to prevent this from happening and how do we know who and what device is locally getting email through OWA? We are looking for any type of solution to prevent and report about the problem either 3rd party or Microsoft, etc..

I have found that diabling the Mobile access features they can't get access. I have disabled the following: Outlook Mobile Acess User Initiated Synchronization Up to date Notifications I know they are using "webmail.domain.com" in order to configure the phone. No /owa or https:// I have tried this myself and it doesn't work. What are the implications of disabling Mobile Access? It is my understanding that by doing doing this AS will not work, however if we want AS to work for a particular user then he will be able to connect any other mobile devices using the method that I have specified above. So he will have a company AS device but he might be using other devices to get local email and we will not know. Summarizing: Is this a real issue? In other words I am seen that unauthorized devices (iphones, bb, tablets, droids, etc.) can OWA and localy cache coporate email. What are the options to prevent this from happening and how do we know who and what device is locally getting email through OWA? We are looking for any type of solution to prevent and report about the problem either 3rd party or Microsoft, etc..

In my tests, this is what I have found: 1. Although users set phones up to go to look like OWA, it is ActiveSync that is controlling the connection. If I disable OWA, but leave ActiveSync enabled, my Droid and iPad still receive emails. If I reverse that - enable OWA and disable ActiveSync, then my Droid and iPad receive connection errors. In our company, we are, by default, enabling OWA and disabling ActiveSync across the board. Anyone who needs ActiveSync for phone must be approved by manager; we have created a policy to push password protection to anyone using ActiveSync. The policy forces users to create a 4-digit PIN on any device that is receiving corporate email - Droid, iPad, etc. The Exchange 2007 shell command works to show what devices are currently using ActiveSync: Get-CASMailbox -Filter {hasactivesyncdevicepartnership -eq $true -and -not displayname -like "CAS_{*"} | Get-Mailbox | foreach { Get-ActiveSyncDeviceStatistics -Mailbox $_} | ft Identity,LastSuccessSync -AutoSize We are doing a similar password policy on BB users. I hope this helps.

Post, Is this still an issue or did you come up with a resolution? We are having a similar issue at our organization and I was curious on your potential fix. I noticed (as mentioned by some above) that the mobile devices in question are using EWS to sync the mail. I discovered this by looking in the IIS logs and searching for the username which is connecting using /EWS/Exchange.asmx string. I did some research and found out this can be remedied in Exchange 2010 (not Exchange 2007 which we are running) using the Set-CASMailbox cmdlet. Has anyone impemented the below URL and only allowed EWS for Outlook, etc. but disable any other EWS applications? Curious if this will work before we upgrade to Exchange 2010 to try and resolve this issue. I am not worried about phones connecting through OWA as the mail should not be cached however it appears that phones using an EWS application can download and store the messages similar to what you would see on IMAP or POP3. Thanks I appreciate the help! http://thoughtsofanidlemind.wordpress.com/2010/08/12/controlling-ews-access-in-exchange-2010-sp1/