rjropes
asked on
Limiting external access to OWA
Hi
We use outlook web access as our internal mail client rather than using outlook for various reasons.
We currently let everyone in the company have access to outlook web access from the internal URL of email.
We have set up front end servers to handle the web traffic and off load the processing from the back end servers.
What I am looking to do is limit the users that can access the mail from outside. We used to use ISA to publish OWA, thus having the ability to restrict access to a user group.
Is there any way that OWA can perform this function? I do not want any access taken away from the internal users, just the external ones.
Any info please don't hesitate to ask away.
Thanks
Richard
We use outlook web access as our internal mail client rather than using outlook for various reasons.
We currently let everyone in the company have access to outlook web access from the internal URL of email.
We have set up front end servers to handle the web traffic and off load the processing from the back end servers.
What I am looking to do is limit the users that can access the mail from outside. We used to use ISA to publish OWA, thus having the ability to restrict access to a user group.
Is there any way that OWA can perform this function? I do not want any access taken away from the internal users, just the external ones.
Any info please don't hesitate to ask away.
Thanks
Richard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We wanted to use forms based authentication, hence why we needed to not publish OWA through the ISA as we do not and are not prepared to upgrade to ISA 2004 for this reason alone. Thus we put the exchange server in the DMZ and set up the rules accordingly.
Normally in IIS you can set permissions on users that can have access to certain parts of things (IE right click on directory or object and permissions). this then passes the authentication through to that part, thus locking people that we don't want in there out.
Is there a way of replicating this with exchange server?
Richard
Normally in IIS you can set permissions on users that can have access to certain parts of things (IE right click on directory or object and permissions). this then passes the authentication through to that part, thus locking people that we don't want in there out.
Is there a way of replicating this with exchange server?
Richard
You could possibly get there by playing with the ACL's on the front-end (in IIS), but this will be for internal and external users.
You could have one group connect to the front-end and the other to the back-end, but that would kind of negate the point of you front-end server.
You could have one group connect to the front-end and the other to the back-end, but that would kind of negate the point of you front-end server.
ASKER
Currently I have two web sites set up, one for external access using ssl, and one for internal access using http, with seperate host headers.
The problem with trying to use ACLs is that I cannot get to them in IIS management, nothing happens when I go to permissions on the websites. I presume that this is because these are exchange http servers rather than normal default web servers.
Any ideas how to change these? I am quite happy to use ACLs on there to control it, just need to know how to put them in
Richard
The problem with trying to use ACLs is that I cannot get to them in IIS management, nothing happens when I go to permissions on the websites. I presume that this is because these are exchange http servers rather than normal default web servers.
Any ideas how to change these? I am quite happy to use ACLs on there to control it, just need to know how to put them in
Richard
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you mean do this in IIS or do this in windows?
sorry for the dull comment
Richard
sorry for the dull comment
Richard
That would be in Windows. Remember: RISKY! :)
If you have a test environment, I'd suggest trying it there first...
If you have a test environment, I'd suggest trying it there first...
ASKER
Hi there
Just a post for completeness. Thanks for all the help guys.
With the frontend servers, I have it sorted out now but not quite how I would like it to be.
The frontend servers now only host external SSL traffic, they no longer host the internal OWA as well.
I tried your setting with permissions to the exchweb directory but could not get that to work. That has put me on the right lines though.
I have set up a group policy for the frontend servers with the 'allow access from the network' option under computer settings > security settings > user rights assignment, and have just let the IUsr, IWAM, admins, backup operators access in there. This setting also has the group that I want to have access to (I called it homemailaccess and added user to it)
This has now rejected all the users that are not in the groups that I want mail enabled.
Richard
Just a post for completeness. Thanks for all the help guys.
With the frontend servers, I have it sorted out now but not quite how I would like it to be.
The frontend servers now only host external SSL traffic, they no longer host the internal OWA as well.
I tried your setting with permissions to the exchweb directory but could not get that to work. That has put me on the right lines though.
I have set up a group policy for the frontend servers with the 'allow access from the network' option under computer settings > security settings > user rights assignment, and have just let the IUsr, IWAM, admins, backup operators access in there. This setting also has the group that I want to have access to (I called it homemailaccess and added user to it)
This has now rejected all the users that are not in the groups that I want mail enabled.
Richard
You could restrict access based on IP, but that would only work if your external users always use the same IP addresses.