victornegri
asked on
Limit RPC over HTTP Exchange 2003
Is there a way to limit the users that are able to access Exchange over RPC over HTTP from home? i.e. Everyone should be able to get on Exchange in the office but only a select group of users are allowed to configure their home computers to access Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
do these users have access to OWA?
ASKER
No. OWA is not installed. Would that be easier to restrict?
In your previous post you mentioned setting security restrictions on IIS and stated that they would need static IP addresses... why would they need static IP addresses?
In your previous post you mentioned setting security restrictions on IIS and stated that they would need static IP addresses... why would they need static IP addresses?
Well you see Exchange doesnt differentiate access form different locations based on which user is connecting. You can either
a) restrict users that are allowed to connect to exchange by username
b) restrict which ip addresses are allowed to connect via IIS
I could explain that in more detail, however it can get complicated. I dont think it will be possible to do what you want without the use of a VPN connection and strict security policies setup. You have no facility to set this type of access running normal NAT/Static routing from public ip through firewall to exchange server.
a) restrict users that are allowed to connect to exchange by username
b) restrict which ip addresses are allowed to connect via IIS
I could explain that in more detail, however it can get complicated. I dont think it will be possible to do what you want without the use of a VPN connection and strict security policies setup. You have no facility to set this type of access running normal NAT/Static routing from public ip through firewall to exchange server.
ASKER
Currently the directors are VPN'ing into the system and we have the RPC ports open to the Exchange server (only through the VPN) so they can use Outlook from home. It's a pain and sometimes they get disconnected from Exchange. I want to see whether eliminating VPN and enabling RPC over HTTP will have any effect on speed and performance but the solution will also have to be able to limit it to just them.
Is it possible to set ACL permissions on the C:\WINDOWS\SYSTEM32\RPCPRO
Is it possible to set ACL permissions on the C:\WINDOWS\SYSTEM32\RPCPRO
Speed and general performance WILL improve when you get remote users out of a VPN connection. I wouldnt mess will ACL permissions on that folder, i cant imagine that would work, and owuld probably break something. Might want to just allow it to work but dont tell anyone it is possible for them to get their email via outlook remotely except for the imporant people that have access. and if they figure out that other people are doing it then say "nope, sorry it wont work for you because you dont have permission on the server" - they'll give up at that point.
Obviously not the most secure method, but a method nonetheless :)
Obviously not the most secure method, but a method nonetheless :)
ASKER
I personally don't believe in the security of user ignorance. :)
I think what I might try is a MAC address filter on the firewall to limit it to only those computers that I want to have access. I'll see if that works. Thanks for the help.
I think what I might try is a MAC address filter on the firewall to limit it to only those computers that I want to have access. I'll see if that works. Thanks for the help.
ASKER