Announcement

Collapse
No announcement yet.

Enable OutlookAnywhere for internal use ONLY

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enable OutlookAnywhere for internal use ONLY

    I have a customer who wants to provide OWA services from Exchange 2007 ( on Windows 2008 ) for both internal and external use... BUT - they specifically do not want to allow outlookanywhere to external users... and then there's the hitch - internally they have several divisions and locations that are firewalled off - so they do need to use outlookanywhere internally...

    The only thing I can come up with so far is to add a second IP address/DNS name and a second website for /RPC and /RPCwithCert. then only put a firewall rule in place for the primary IP, not the secondary IP....

    Has anyone done anything like this before? Is there a better solution?

    Thanks!

    -g

  • #2
    Re: Enable OutlookAnywhere for internal use ONLY

    do you use ISA, or Forefront, ?

    If you have isa in front, use that to publish ONLY the owa rule.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Enable OutlookAnywhere for internal use ONLY

      Out of curiosity, WHY do they not want to give external users the far richer experience of Outlook Anywhere over OWA?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Enable OutlookAnywhere for internal use ONLY

        ISA/Forefront TMG is going to be the only option here. Without that you cannot stop Outlook Anywhere from being used outside the network because autodiscover will play a part.

        IIS/Exchange doesn't care where the traffic comes from, as long as the connection resolves then it will connect. Outlook Anywhere provides you with three options - on, off or disabled on a per use basis. Location is not an option. Therefore ISA is your only option.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Enable OutlookAnywhere for internal use ONLY

          Originally posted by Ossian View Post
          Out of curiosity, WHY do they not want to give external users the far richer experience of Outlook Anywhere over OWA?
          The customer houses a lot of financial information and feels OA makes it too easy to synchronize data to an outside point. OWA would make a data leak a bit slower at least. I know - Its not technically any safer - but there isn't supposed to be any financial data in the email system anyway, and this is what the customer has decided.

          They do not have ISA....

          Here's what we're trying today - I'll let you know how it goes:

          1. Delete the /rpc and the /rpcwithcert directories from the default web site
          2. Create a new web site on a specific (secondary) ip address that does NOT have a public NAT.
          3. Add the /rpc and /rpcwithcert directories to the secondary web site.
          4. Put an internal DNS entry in for the secondary web site (no external).

          Comment


          • #6
            Re: Enable OutlookAnywhere for internal use ONLY

            Alright, we switched it around a bit -
            Since users were already using OA in the remote office (firewalled office) - and since there are a lot more exchange web services anyway - I simply created a new OWA website - and we'll change the public NAT for OWA to that IP address. Since that IP address has ONLY owa - it should prevent all outside use of OA.

            Add new IP address to the server as a secondary (deselect auto DNS registration)
            Create new website called "EmailOWA" in IIS
            Adjust the default website to bind only to the original IP address instead of "*".
            Adjust the EmailOWA website to bind only to the new secondary IP
            Run Exchagne shell command:
            New-OWAVirtualDirectory -OWAVersion "Exchange2007" -VirtualDirectoryType Mailboxes -Website "EmailOWA"
            Do the normal /owa redirect, etc.

            All that's left after that is to change the firewall NAT to the new web site's IP.

            Its working in test... now to do it in production....

            Comment

            Working...
            X