Restrict OWA and Outlook anywhere access
Hi everybody. I have to change a deployed Exchange 2010 organization. I have 2 servers, one for Mailbox role, one for Hub transport/CAS roles. Actually, everyone in the company can access his mailbox by OWA or Outlook Anywhere. My staff wants to restict external access to few users only (with a security group in Active Directory) So, this users will be able to access owa and Outlook anywhere outside LAN. The other users cannot. Inside Lan, everyone will be able to access OWA. I tried to create a new OWA/ECP virtual directory in IIS with the 44321 port. In my fortigate firewall, i redirected 443 flow to my CAS Server, in 44321 port. With security settings, i was able to restrict access in OWA. But after that no one could access his mailbox with RCP/HTTP anyway, and I can't find how I can restict RCP/HTTP accesses . Can someone have issue for this? Thanks. Iom
April 6th, 2011 12:57pm

Disable the feature via mail features on user's mailbox or via set-casmailbox http://technet.microsoft.com/en-us/library/bb125264.aspx
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2011 1:28pm

Disable the feature via mail features on user's mailbox or via set-casmailbox http://technet.microsoft.com/en-us/library/bb125264.aspx
April 6th, 2011 8:22pm

Thanks, but with this method, i will restrict access in internal too? I just need to restrict external accesses.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 4:44am

The only way to do this is to use TMG and control access that way. If you disable the functionality in Exchange, then it is all or nothing. Outlook Anywhere cannot use any other port than 443, which is why you stopped that from working. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
April 7th, 2011 11:35am

Hi Iom84, Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 2:31am

Salam, I have done something similar, try this if you want: - Create a new OWA virtual directory. - Change the SSL port to something else. From IIS deny all IP addresses and add the allowed ones (your LAN IPs). This will solve your internal access problem. For the external part: - Create an AD group (DeniedFromExternalOWA) and all the restricted users to it. - Now go to C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\owaauth.dll and add the DeniedFromExternalOWA group to it with Full Deny permissions. Also note you can't remove the Athenticated Users because OWA then will crash. I hope this helps, Kindest regards.
April 12th, 2011 5:37am

Hi. Just to resume. I've created a second OWA/ECP website in IIS on port 44321. I redirect external access in firewall to point to 44321. It works fine, access are restricted but : - Outlook anywhere doesn't work anymore - Synchronisation with mobile phone don't work too. My question is : is there a risk to change configuration in this way : - Internal users point to the second web site (ie port 44321), with no restriction. - External users point to the default website on which I Deny permissions on owa/ECP folders?(ie default permission on which I add Deny permissions) I note that removing "Authenticated Users" crashes Exchange, but if I only Deny access, is it the same or will it work?
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 6:21am

Thanks doOdzZZ, your solution is the good way. Cheers
July 4th, 2011 1:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics