Link to home
Start Free TrialLog in
Avatar of nesarmatrix
nesarmatrix

asked on

How to block RPC over HTTP client?

Hi,

I want to block rpc over http for particular users. Actually some users are configured your email account on blackberry web access without our information then they access offical mails own blackberry device.

I want to know is there any way that block activation process on blackberry.?

thanks

Rajesh Kumar

thanks
Avatar of Hilal1924
Hilal1924
Flag of India image

Hi If you are using Exchange 2003, You can disable RPC/HTTPS by changing the permission on The RPC directory in IIS or simply deleting or disabling it. In Exchange 2007, You should disable Outlook Anywhere on CAS server, this will disable RPC/HTTPS.

Or one more way is to use Exchange Features from Active Directory. Select the users for whom you want to disable RPC/HTTPS And remove this feature for them.

Cheers,
Hilal
Avatar of nesarmatrix
nesarmatrix

ASKER

Hi Hilal,

Could you please provide me step of active directory for disable RPC over HTTP?
I was thinking more in terms of Active Sync, Which Mail server are you using? If it is Exchange 2007 you can ADUC to remote Exchange features.
yes  i m using excgnage 2007, please provide me steps that how can disble rep over http feature for particualr users...
RPC/HTTPS is called Outlook Anywhere in Exchange 2007. Unfortunately you can't disable it only for some users in Exchange 2007, it will be disabled organization wide.
Use the following command from EMS to disable OutlookAnywhere:

Disable-OutlookAnywhere -Server "ServerName" (Warning: it will disable Outlook Anywhere for all users)

To do it on a user basis, it is a bit complicated. You will need to use Exchange Management Shell and set the users like this:

get-user (get-content C:\Users.txt) | set-casmailbox  -owaenabled:$false

Users.txt is the file with username for whom you want to Disable RPC/HTTP.
Cheers,
Hilal
I read many blogs that you can block outlook anywhere option for particular users?

This is how you do it on a per user basis
"
To do it on a user basis, it is a bit complicated. You will need to use Exchange Management Shell and set the users like this:

get-user (get-content C:\Users.txt) | set-casmailbox  -owaenabled:$false

Users.txt is the file with username for whom you want to Disable RPC/HTTP.
Cheers,
Hilal
"
Or simply use the following command get-user "username" |set-casmailbox -owaenabled$false
But this command for outlook web access disable but i want disable for outlook anywhere access..
OutlookAnywhere forms part of OutlookWebAccess, That is why I had not recommended it in first place. This is the only way though. To disable OutlookAnywhere for specific users you will need to disable owa.

If you see in the picture we can disable only these protocols.
CAS-Settings.png
We have already blocked OWA but how can possible that users can configured blackberry itself...
Ah I see, Blackberry can be configured in multiple ways. I assume that you don't have any blckberry servers configured in your network.
If you have disabled OWA and they are still using Mobile devices to access their email, in all probability they are either using ActiveSync or a third party Blackberry host such as a Telecom Carrier. If you disable both OWA and ActiveSync, using blackberry would be impossible. So depending on the client they are using you can block their access.

Test by blocking both ActiveSync and OWA, I am sure it will disable all blackberry Syncs.

Cheers,
Hilal
I have checked with disable OWA & Active Sync but still same happening..
Then I am absolutely sure it is not Exchange.Since these are only way Blackberry's can be configured for Web Access. Unless of course you have enabled IMAP or POP.
Hi anyone know about...this.
Actually, this is pretty easy.  You cant do it to my knowledge from exchange or OWA (I have heard you can break BIS through forms based authentication, but I cannot validate it.)

To do this, block the following IP's at the firewall level.  (You could also do this in IIS, but I'd rather block them at the edge then letting them in.)  I hate blackberries and when the end user group told us they were tired of supporting requests for unauthorized devices, this totally worked like a charm.

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=63832630&stateId=1%200%2063826436

Once the rules are applied to your firewall, you will have some very angry blackberry users which will make you smile big :)
To further elaborate on my post...If you do not have a Blackberry Enterprise Server (commonly known as BES) then users are forced to goto the Blackberry Internet Service which they subscribe to through the vendor, RIM.  RIM has a server farm which upon configuration with the blackberry user will attach to OWA on their behalf and act as the proxy between the user's blackberry and your OWA farm.

By blocking the IP addresses listed in their documentation, you are preventing the RIM server farm from connecting to your OWA environment.  If the RIM servers are unable to connect, then the blackberry user cannot no longer synchronize through the BIS servers.  There is zero danger in doing this and rest assured that any network or firewall administrator will be happy to block those IP's for you.  

There is one last way that the user can sync and this is a lot harder to control.  They could attach directly through a USB cable to their PC or laptop and then synchronize with Outlook that way.  That's a different topic, but I would control that through IT policy and say if you connect your blackberry to your computer, we will confiscate it under out IT policy.
Avatar of Akhater
To block RPC/HTTP use

set-casmailbox name -MAPIBlockOutlookRpcHttp:$true

to block activesync

set-casmailbox name -ActiveSyncEnabled :$False

to block OWA

set-casmailbox name -OWAEnabled:$false

note that Blackberry (BIS) uses the EWS and cannot be blocked on the exchange level to block it you should block it on ISA (if you have ISA) the alternative is to block all the BIS ip address range but this means that it will be blocked for all users

AKhater - I think he wanted to block all BIS users and that's why I suggested block in the IP ranges
@egrylls I agree with you on blocking the BIS ip range part, i was just trying to give the OP a complete answer with all possibilities
Hello All,
First go to REGEDIT type on CMD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Value name: Rpc/HTTP Port
Value type: REG_DWORD
Value data: 0x1771 (Decimal 6001)

Secondly-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: HTTP Port
Value type: REG_DWORD
Value data: 0x1772 (Decimal 6002)

Thirdly:-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: Rpc/HTTP NSPI Port
Value type: REG_DWORD
Value data: 0x1774 (Decimal 6004)
hi..is there any way that how can block this...
block what ? did you read my post ?


To block RPC/HTTP use

set-casmailbox name -MAPIBlockOutlookRpcHttp:$true

to block activesync

set-casmailbox name -ActiveSyncEnabled :$False

to block OWA

set-casmailbox name -OWAEnabled:$false

note that Blackberry (BIS) uses the EWS and cannot be blocked on the exchange level to block it you should block it on ISA (if you have ISA) the alternative is to block all the BIS ip address range but this means that it will be blocked for all users
Hi , suppose we blocked bis ips in our firewall then this service has blocked for all users ..is there any way that we can allow some users from firewall,,,,,
which service are we talking about ?  Let's try to be a bit specific here,

If you are talking about BIS I clearly stated that you can either block the IP range (i.e. all users) or if you want it by user you need ISA server
I have ISA server , but its not front end how can deploy and please confirm that can we allow for specific users through ISA..
in ISA you can create a rule to allow only specific users (group) to access /EWS virtual directory so yes it can be done.

ok now i m using isa as only proxy server . could you tell me how can publish our URL through ISA...
ASKER CERTIFIED SOLUTION
Avatar of Akhater
Akhater
Flag of Lebanon image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
good