How to block RPC over HTTP client?

Hi,

I want to block rpc over http for particular users. Actually some users are configured your email account on blackberry web access without our information then they access offical mails own blackberry device.

I want to know is there any way that block activation process on blackberry.?

thanks

Rajesh Kumar

thanks
nesarmatrixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hilal1924Commented:
Hi If you are using Exchange 2003, You can disable RPC/HTTPS by changing the permission on The RPC directory in IIS or simply deleting or disabling it. In Exchange 2007, You should disable Outlook Anywhere on CAS server, this will disable RPC/HTTPS.

Or one more way is to use Exchange Features from Active Directory. Select the users for whom you want to disable RPC/HTTPS And remove this feature for them.

Cheers,
Hilal
0
nesarmatrixAuthor Commented:
Hi Hilal,

Could you please provide me step of active directory for disable RPC over HTTP?
0
Hilal1924Commented:
I was thinking more in terms of Active Sync, Which Mail server are you using? If it is Exchange 2007 you can ADUC to remote Exchange features.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

nesarmatrixAuthor Commented:
yes  i m using excgnage 2007, please provide me steps that how can disble rep over http feature for particualr users...
0
Hilal1924Commented:
RPC/HTTPS is called Outlook Anywhere in Exchange 2007. Unfortunately you can't disable it only for some users in Exchange 2007, it will be disabled organization wide.
Use the following command from EMS to disable OutlookAnywhere:

Disable-OutlookAnywhere -Server "ServerName" (Warning: it will disable Outlook Anywhere for all users)

To do it on a user basis, it is a bit complicated. You will need to use Exchange Management Shell and set the users like this:

get-user (get-content C:\Users.txt) | set-casmailbox  -owaenabled:$false

Users.txt is the file with username for whom you want to Disable RPC/HTTP.
Cheers,
Hilal
0
nesarmatrixAuthor Commented:
I read many blogs that you can block outlook anywhere option for particular users?
0
Hilal1924Commented:

This is how you do it on a per user basis
"
To do it on a user basis, it is a bit complicated. You will need to use Exchange Management Shell and set the users like this:

get-user (get-content C:\Users.txt) | set-casmailbox  -owaenabled:$false

Users.txt is the file with username for whom you want to Disable RPC/HTTP.
Cheers,
Hilal
"
0
Hilal1924Commented:
Or simply use the following command get-user "username" |set-casmailbox -owaenabled$false
0
nesarmatrixAuthor Commented:
But this command for outlook web access disable but i want disable for outlook anywhere access..
0
Hilal1924Commented:
OutlookAnywhere forms part of OutlookWebAccess, That is why I had not recommended it in first place. This is the only way though. To disable OutlookAnywhere for specific users you will need to disable owa.

If you see in the picture we can disable only these protocols.
CAS-Settings.png
0
nesarmatrixAuthor Commented:
We have already blocked OWA but how can possible that users can configured blackberry itself...
0
Hilal1924Commented:
Ah I see, Blackberry can be configured in multiple ways. I assume that you don't have any blckberry servers configured in your network.
If you have disabled OWA and they are still using Mobile devices to access their email, in all probability they are either using ActiveSync or a third party Blackberry host such as a Telecom Carrier. If you disable both OWA and ActiveSync, using blackberry would be impossible. So depending on the client they are using you can block their access.

Test by blocking both ActiveSync and OWA, I am sure it will disable all blackberry Syncs.

Cheers,
Hilal
0
nesarmatrixAuthor Commented:
I have checked with disable OWA & Active Sync but still same happening..
0
Hilal1924Commented:
Then I am absolutely sure it is not Exchange.Since these are only way Blackberry's can be configured for Web Access. Unless of course you have enabled IMAP or POP.
0
nesarmatrixAuthor Commented:
Hi anyone know about...this.
0
egryllsCommented:
Actually, this is pretty easy.  You cant do it to my knowledge from exchange or OWA (I have heard you can break BIS through forms based authentication, but I cannot validate it.)

To do this, block the following IP's at the firewall level.  (You could also do this in IIS, but I'd rather block them at the edge then letting them in.)  I hate blackberries and when the end user group told us they were tired of supporting requests for unauthorized devices, this totally worked like a charm.

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB11036&sliceId=SAL_Public&dialogID=63832630&stateId=1%200%2063826436

Once the rules are applied to your firewall, you will have some very angry blackberry users which will make you smile big :)
0
egryllsCommented:
To further elaborate on my post...If you do not have a Blackberry Enterprise Server (commonly known as BES) then users are forced to goto the Blackberry Internet Service which they subscribe to through the vendor, RIM.  RIM has a server farm which upon configuration with the blackberry user will attach to OWA on their behalf and act as the proxy between the user's blackberry and your OWA farm.

By blocking the IP addresses listed in their documentation, you are preventing the RIM server farm from connecting to your OWA environment.  If the RIM servers are unable to connect, then the blackberry user cannot no longer synchronize through the BIS servers.  There is zero danger in doing this and rest assured that any network or firewall administrator will be happy to block those IP's for you.  

There is one last way that the user can sync and this is a lot harder to control.  They could attach directly through a USB cable to their PC or laptop and then synchronize with Outlook that way.  That's a different topic, but I would control that through IT policy and say if you connect your blackberry to your computer, we will confiscate it under out IT policy.
0
AkhaterCommented:
To block RPC/HTTP use

set-casmailbox name -MAPIBlockOutlookRpcHttp:$true

to block activesync

set-casmailbox name -ActiveSyncEnabled :$False

to block OWA

set-casmailbox name -OWAEnabled:$false

note that Blackberry (BIS) uses the EWS and cannot be blocked on the exchange level to block it you should block it on ISA (if you have ISA) the alternative is to block all the BIS ip address range but this means that it will be blocked for all users

0
egryllsCommented:
AKhater - I think he wanted to block all BIS users and that's why I suggested block in the IP ranges
0
AkhaterCommented:
@egrylls I agree with you on blocking the BIS ip range part, i was just trying to give the OP a complete answer with all possibilities
0
Vipin_905Commented:
Hello All,
First go to REGEDIT type on CMD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Value name: Rpc/HTTP Port
Value type: REG_DWORD
Value data: 0x1771 (Decimal 6001)

Secondly-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: HTTP Port
Value type: REG_DWORD
Value data: 0x1772 (Decimal 6002)

Thirdly:-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: Rpc/HTTP NSPI Port
Value type: REG_DWORD
Value data: 0x1774 (Decimal 6004)
0
nesarmatrixAuthor Commented:
hi..is there any way that how can block this...
0
AkhaterCommented:
block what ? did you read my post ?


To block RPC/HTTP use

set-casmailbox name -MAPIBlockOutlookRpcHttp:$true

to block activesync

set-casmailbox name -ActiveSyncEnabled :$False

to block OWA

set-casmailbox name -OWAEnabled:$false

note that Blackberry (BIS) uses the EWS and cannot be blocked on the exchange level to block it you should block it on ISA (if you have ISA) the alternative is to block all the BIS ip address range but this means that it will be blocked for all users
0
nesarmatrixAuthor Commented:
Hi , suppose we blocked bis ips in our firewall then this service has blocked for all users ..is there any way that we can allow some users from firewall,,,,,
0
AkhaterCommented:
which service are we talking about ?  Let's try to be a bit specific here,

If you are talking about BIS I clearly stated that you can either block the IP range (i.e. all users) or if you want it by user you need ISA server
0
nesarmatrixAuthor Commented:
I have ISA server , but its not front end how can deploy and please confirm that can we allow for specific users through ISA..
0
AkhaterCommented:
in ISA you can create a rule to allow only specific users (group) to access /EWS virtual directory so yes it can be done.

0
nesarmatrixAuthor Commented:
ok now i m using isa as only proxy server . could you tell me how can publish our URL through ISA...
0
AkhaterCommented:
I am afraid this is a completely different issue
in short you need to put 2 NIC to your ISA server and configure it as a perimeter network and then create your publishing rules
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nesarmatrixAuthor Commented:
good
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.