[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1663
  • Last Modified:

Block Outlook anywhere for some computer

Hi,
I would like to block outlook anywhere for computers not added to our domain.  I believe there is no direct way of doing this?

I was wondering if there is a work around to this using a firewall like Forefront.  

I have found some solutions to block however all them also evolved block OWA as well and I would like to keep this open to all machines and only block Outlook anywhere to just domain Computer.

Help appreciated

Thanks,
James
0
James-Heard
Asked:
James-Heard
  • 4
  • 2
  • 2
  • +4
3 Solutions
 
wsewasimCommented:

Research on this

set-casmailbox -mapiblockoutlookrpcthhp:$true
you can do:
get-user | set-casmailbox -mapiblockoutlookrpcthhp:$true
which will kill all access, and then go back and to a $false for the two in question to allow them to use it.

http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx
0
 
James-HeardAuthor Commented:
Hi Wsewasim,  I may be mistaken but am fairly sure that this enables/disables by user.  I want all user to have access but only when on a domain/work owned PC.  The issue is people using outlook anywhere on machines not monitored/owned by my company
Thanks,
James
0
 
MichaelVHCommented:
As far as I know, there is no 'easy' way to do this. If I'm correct an ISA-server should be able to do that for you.

(don't know about NAP/NAC though)
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Keith AlabasterCommented:
ISA/Forefront would not - in this example - actually solve the issue. Both ISA/TMG operate at layer 3 or above and here youy are talking about machine identification. Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access.
0
 
MichaelVHCommented:
Keith,

if I'm correct you cannot use Client Certificates because Outlook can't handle 'em.

But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Grts,

Michael
0
 
James-HeardAuthor Commented:
I think I did see something about using certificates however belive the issue I had was that if Installed it on exchange server I could not work out how to make a requirment for outlook anywhere but not OWA as well.  

"Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access."

Any further info you could give on the above or where I can find how to set this up would be good.  
Thanks
0
 
pwindellCommented:
But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Only web publishing (based on web proxying) can make decisions based on the user.  Server publishing (based on Reverse NAT) cannot.
0
 
James-HeardAuthor Commented:
Sorry Pwindell can you explain further?  How would I achinve want I am asking though ISA or anything else for that matter?  This must be possible to do using some combination of tools?
Thanks,
James
0
 
pwindellCommented:
Well it is just like I said, I don't know how else to say it.  Technology based on web proxyig operates throughout all Layers of the OSI model (and above them) and is hence, more sophisticated and more capable, and one of its capabilities is user authentication.  However the other publishing methods are based on NAT,..Reverse NAT to be specific, and NAT only operates in Layers 1-3,...and if port translation (PAT) is added to that then you add Layer4,...but that is as far as it goes,...so user authentication is not possible.

Web proxying is based on the CERN Compliant Web Proxying Standards and NAT is,...well,...NAT is just NAT.  So these are industry standards,...not an "MS Thing".  So these things are-what-they-are.
0
 
Keith AlabasterCommented:
Errrm, yeah - what 'he' said. Right on!
0
 
PakaCommented:
Can't be done with current technology.  We have a very sharp MS Exchange engineer on staff and we opted for a smart card authenticated session through ISA to CAS, but have not found a way to validate via machine cert too.

Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go...
0
 
James-HeardAuthor Commented:
"Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go..."  This looks good, sadly some of our machines are still XP but we have planes to migrate to 7 shortly (also this only affects our laptops that will increasingly be on win7).  Thanks for the info Paka.
0
 
Glen KnightCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now