?
Solved

Limiting external access to OWA

Posted on 2006-05-12
11
Medium Priority
?
437 Views
Last Modified: 2011-09-20
Hi

We use outlook web access as our internal mail client rather than using outlook for various reasons.

We currently let everyone in the company have access to outlook web access from the internal URL of email.

We have set up front end servers to handle the web traffic and off load the processing from the back end servers.

What I am looking to do is limit the users that can access the mail from outside. We used to use ISA to publish OWA, thus having the ability to restrict access to a user group.

Is there any way that OWA can perform this function? I do not want any access taken away from the internal users, just the external ones.

Any info please don't hesitate to ask away.

Thanks

Richard

0
Comment
Question by:rjropes
  • 4
  • 4
9 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 16666219
Without using something like ISA to restrict access to the URL, you cannot restrict access to OWA. Like most web based services, the application doesn't know and doesn't care where the connection is coming from. The only restriction you could make would be to cut all access to OWA - either on or off.

Simon.
0
 
LVL 9

Expert Comment

by:MNH1966
ID: 16666326
Why did you stop using ISA to publish OWA? In a front-end/back-end scenario, it's still the recommended method (as opposed to placing the server in the DMZ).
You could restrict access based on IP, but that would only work if your external users always use the same IP addresses.
0
 
LVL 4

Author Comment

by:rjropes
ID: 16666359
We wanted to use forms based authentication, hence why we needed to not publish OWA through the ISA as we do not and are not prepared to upgrade to ISA 2004 for this reason alone. Thus we put the exchange server in the DMZ and set up the rules accordingly.

Normally in IIS you can set permissions on users that can have access to certain parts of things (IE right click on directory or object and permissions). this then passes the authentication through to that part, thus locking people that we don't want in there out.

Is there a way of replicating this with exchange server?

Richard
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 9

Expert Comment

by:MNH1966
ID: 16666483
You could possibly get there by playing with the ACL's on the front-end (in IIS), but this will be for internal and external users.
You could have one group connect to the front-end and the other to the back-end, but that would kind of negate the point of you front-end server.
0
 
LVL 4

Author Comment

by:rjropes
ID: 16666523
Currently I have two web sites set up, one for external access using ssl, and one for internal access using http, with seperate host headers.

The problem with trying to use ACLs is that I cannot get to them in IIS management, nothing happens when I go to permissions on the websites. I presume that this is because these are exchange http servers rather than normal default web servers.

Any ideas how to change these? I am quite happy to use ACLs on there to control it, just need to know how to put them in

Richard
0
 
LVL 9

Assisted Solution

by:MNH1966
MNH1966 earned 1000 total points
ID: 16666835
You could try changing permission to the Exchsrvr\exchweb folder on your front-end.
Risky and unsupported, but it may get you what you want.
0
 
LVL 4

Author Comment

by:rjropes
ID: 16667498
Do you mean do this in IIS or do this in windows?

sorry for the dull comment

Richard
0
 
LVL 9

Expert Comment

by:MNH1966
ID: 16667556
That would be in Windows. Remember: RISKY! :)
If you have a test environment, I'd suggest trying it there first...
0
 
LVL 4

Author Comment

by:rjropes
ID: 16740816
Hi there

Just a post for completeness. Thanks for all the help guys.

With the frontend servers, I have it sorted out now but not quite how I would like it to be.

The frontend servers now only host external SSL traffic, they no longer host the internal OWA as well.

I tried your setting with permissions to the exchweb directory but could not get that to work. That has put me on the right lines though.

I have set up a group policy for the frontend servers with the 'allow access from the network' option under computer settings > security settings > user rights assignment, and have just let the IUsr, IWAM, admins, backup operators access in there. This setting also has the group that I want to have access to (I called it homemailaccess and added user to it)

This has now rejected all the users that are not in the groups that I want mail enabled.

Richard
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question