Restricting Outlook Web Accessto Domain Joined PCs only

Hi,

Is it possible to restrict OWA to domain joined PCs only with Exchange 2010 and Exchange 2013?

The only methods I'm aware of are:

- using IP/subnet filtering with Exchange native capabilities and/or a 3rd party security product
- use a 3rd party product to publish OWA and ensure that any security checks request a machine certificate before accepting the connection

Ideally I'm looking for a way to restrict only domain joined PCs to accessing Exchange OWA without 3rd party appliances.

Thanks

March 11th, 2015 1:30pm

Hi,

Just configure the Internal Connection of the OWA, and configure windows authentication in the IIS.

Regards,

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 2:48pm

Hi,

To block or disable external OWA for exchange users, please refer to the following steps

  1. Create a new website only for ActiveSync service. Ex: (New-WebSite -Name TestSite -Port 80 -HostHeader TestSite -PhysicalPath "$env:systemdrive\inetpub\testsite").
  2. Assign new IP address to that website.
  3. Create ActiveSync virtual directory in the new website Ex: (New-ActiveSyncVirtualDirectory -WebSiteName "TestSite" -ExternalURL http://www.contoso.com/mail -InternalURL http://contoso/mail).
  4. Assign certificate to the new website.
  5. Dont create OWA and ECP virtual directory in the new website.
  6. On the firewall NAT the public IP address to internal IP address assigned to new website.
  7. Use Default Website for internal outlook web access(Without External URL settings and no public IP address for the default site).

Alternatively, we can keep the default web site for external access of ActiveSync and external OWA disabled. Then create a new Web Site for Internal OWA-ECP using.

For more details about this method, please refer to this blog:

http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Best Regards.

March 12th, 2015 3:07am

Thanks Alex,

 I think that might do it - will give it a try.

Li,

 That link refers to blocking external users, I simply want to block non domain joined computers regardless of whether the machine is on the corporate LAN or the internet.

 In addition, would making these changes break ActiveSync access on Windows phones?

Thanks

Free Windows Admin Tool Kit Click here and download it now
March 12th, 2015 6:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics