Limiting OWA Access With ISA
Posted on 2006-11-10
We have an Exchange 2003 environment that has been in place for a little over a month now. We are still actively migrating users from our Domino 5 server. Our next batch of migrations includes users that have no permanent desks. Currently, when we have finished migrating a group of users we will manually apply a profile that has been created using the Office Deployment Tools. However, despite our test environment showing a different result, anytime a user logs into a machine that is not their own, Outlook tries to run the manual configuration again (in our test lab the profile that was installed via the GPO installation of Outlook was applied for all users).
As a result of this situations our helpdesk has been configuring the handful of users that use more than one computer. For this next batch of users this is unacceptable - both because we are talking about 200 users and fifty workstations but also because of the rotational nature of their shifts many are working when our helpdesk is closed.
Roaming windows profiles are not an option.
The ideal solution that I see is to give these users access only to OWA. However, because they deal with information of an extremely sensitive nature, management does not want to allow 95% of these users to access OWA from anywhere outside of our network. Our OWA is currently published to the outside world through and ISA 2004 server. So my question is this, given that OWA is published through ISA is there a way to use the users tab of the OWA publishing rule to block the users that do not need external access while still allowing all other users through?
Our ISA server is not a member server of our Active Directory environment and contains two NICs, on one connected to our internal network and the other connected to our DMZ.