Restrict OWA and Outlook anywhere access
Hi everybody. I have to change a deployed Exchange 2010 organization. I have 2 servers, one for Mailbox role, one for Hub transport/CAS roles. Actually, everyone in the company can access his mailbox by OWA or Outlook Anywhere. My staff wants to restict external access to few users only (with a security group in Active Directory) So, this users will be able to access owa and Outlook anywhere outside LAN. The other users cannot. Inside Lan, everyone will be able to access OWA. I tried to create a new OWA/ECP virtual directory in IIS with the 44321 port. In my fortigate firewall, i redirected 443 flow to my CAS Server, in 44321 port. With security settings, i was able to restrict access in OWA. But after that no one could access his mailbox with RCP/HTTP anyway, and I can't find how I can restict RCP/HTTP accesses . Can someone have issue for this? Thanks. Iom
April 6th, 2011 7:51pm

Disable the feature via mail features on user's mailbox or via set-casmailbox http://technet.microsoft.com/en-us/library/bb125264.aspx
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2011 8:22pm

Thanks, but with this method, i will restrict access in internal too? I just need to restrict external accesses.
April 7th, 2011 11:41am

The only way to do this is to use TMG and control access that way. If you disable the functionality in Exchange, then it is all or nothing. Outlook Anywhere cannot use any other port than 443, which is why you stopped that from working. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 6:33pm

Hi Iom84, Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 12th, 2011 9:29am

Salam, I have done something similar, try this if you want: - Create a new OWA virtual directory. - Change the SSL port to something else. From IIS deny all IP addresses and add the allowed ones (your LAN IPs). This will solve your internal access problem. For the external part: - Create an AD group (DeniedFromExternalOWA) and all the restricted users to it. - Now go to C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\owaauth.dll and add the DeniedFromExternalOWA group to it with Full Deny permissions. Also note you can't remove the Athenticated Users because OWA then will crash. I hope this helps, Kindest regards.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 12:35pm

Thanks doOdzZZ, your solution is the good way. Cheers
July 4th, 2011 1:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics