Limiting external access to OWA

Hi

We use outlook web access as our internal mail client rather than using outlook for various reasons.

We currently let everyone in the company have access to outlook web access from the internal URL of email.

We have set up front end servers to handle the web traffic and off load the processing from the back end servers.

What I am looking to do is limit the users that can access the mail from outside. We used to use ISA to publish OWA, thus having the ability to restrict access to a user group.

Is there any way that OWA can perform this function? I do not want any access taken away from the internal users, just the external ones.

Any info please don't hesitate to ask away.

Thanks

Richard

LVL 4
rjropesAsked:
Who is Participating?
 
SembeeCommented:
Without using something like ISA to restrict access to the URL, you cannot restrict access to OWA. Like most web based services, the application doesn't know and doesn't care where the connection is coming from. The only restriction you could make would be to cut all access to OWA - either on or off.

Simon.
0
 
MNH1966Commented:
Why did you stop using ISA to publish OWA? In a front-end/back-end scenario, it's still the recommended method (as opposed to placing the server in the DMZ).
You could restrict access based on IP, but that would only work if your external users always use the same IP addresses.
0
 
rjropesAuthor Commented:
We wanted to use forms based authentication, hence why we needed to not publish OWA through the ISA as we do not and are not prepared to upgrade to ISA 2004 for this reason alone. Thus we put the exchange server in the DMZ and set up the rules accordingly.

Normally in IIS you can set permissions on users that can have access to certain parts of things (IE right click on directory or object and permissions). this then passes the authentication through to that part, thus locking people that we don't want in there out.

Is there a way of replicating this with exchange server?

Richard
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
MNH1966Commented:
You could possibly get there by playing with the ACL's on the front-end (in IIS), but this will be for internal and external users.
You could have one group connect to the front-end and the other to the back-end, but that would kind of negate the point of you front-end server.
0
 
rjropesAuthor Commented:
Currently I have two web sites set up, one for external access using ssl, and one for internal access using http, with seperate host headers.

The problem with trying to use ACLs is that I cannot get to them in IIS management, nothing happens when I go to permissions on the websites. I presume that this is because these are exchange http servers rather than normal default web servers.

Any ideas how to change these? I am quite happy to use ACLs on there to control it, just need to know how to put them in

Richard
0
 
MNH1966Commented:
You could try changing permission to the Exchsrvr\exchweb folder on your front-end.
Risky and unsupported, but it may get you what you want.
0
 
rjropesAuthor Commented:
Do you mean do this in IIS or do this in windows?

sorry for the dull comment

Richard
0
 
MNH1966Commented:
That would be in Windows. Remember: RISKY! :)
If you have a test environment, I'd suggest trying it there first...
0
 
rjropesAuthor Commented:
Hi there

Just a post for completeness. Thanks for all the help guys.

With the frontend servers, I have it sorted out now but not quite how I would like it to be.

The frontend servers now only host external SSL traffic, they no longer host the internal OWA as well.

I tried your setting with permissions to the exchweb directory but could not get that to work. That has put me on the right lines though.

I have set up a group policy for the frontend servers with the 'allow access from the network' option under computer settings > security settings > user rights assignment, and have just let the IUsr, IWAM, admins, backup operators access in there. This setting also has the group that I want to have access to (I called it homemailaccess and added user to it)

This has now rejected all the users that are not in the groups that I want mail enabled.

Richard
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.