Solved

Block Outlook anywhere for some computer

Posted on 2011-02-18
14
1,625 Views
Last Modified: 2012-05-11
Hi,
I would like to block outlook anywhere for computers not added to our domain.  I believe there is no direct way of doing this?

I was wondering if there is a work around to this using a firewall like Forefront.  

I have found some solutions to block however all them also evolved block OWA as well and I would like to keep this open to all machines and only block Outlook anywhere to just domain Computer.

Help appreciated

Thanks,
James
0
Comment
Question by:James-Heard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 2

Expert Comment

by:wsewasim
ID: 34924985

Research on this

set-casmailbox -mapiblockoutlookrpcthhp:$true
you can do:
get-user | set-casmailbox -mapiblockoutlookrpcthhp:$true
which will kill all access, and then go back and to a $false for the two in question to allow them to use it.

http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx
0
 

Author Comment

by:James-Heard
ID: 34925011
Hi Wsewasim,  I may be mistaken but am fairly sure that this enables/disables by user.  I want all user to have access but only when on a domain/work owned PC.  The issue is people using outlook anywhere on machines not monitored/owned by my company
Thanks,
James
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 34925166
As far as I know, there is no 'easy' way to do this. If I'm correct an ISA-server should be able to do that for you.

(don't know about NAP/NAC though)
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 166 total points
ID: 34932326
ISA/Forefront would not - in this example - actually solve the issue. Both ISA/TMG operate at layer 3 or above and here youy are talking about machine identification. Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access.
0
 
LVL 11

Assisted Solution

by:MichaelVH
MichaelVH earned 166 total points
ID: 34932422
Keith,

if I'm correct you cannot use Client Certificates because Outlook can't handle 'em.

But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Grts,

Michael
0
 

Author Comment

by:James-Heard
ID: 34934820
I think I did see something about using certificates however belive the issue I had was that if Installed it on exchange server I could not work out how to make a requirment for outlook anywhere but not OWA as well.  

"Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access."

Any further info you could give on the above or where I can find how to set this up would be good.  
Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35070904
But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Only web publishing (based on web proxying) can make decisions based on the user.  Server publishing (based on Reverse NAT) cannot.
0
 

Author Comment

by:James-Heard
ID: 35071600
Sorry Pwindell can you explain further?  How would I achinve want I am asking though ISA or anything else for that matter?  This must be possible to do using some combination of tools?
Thanks,
James
0
 
LVL 29

Accepted Solution

by:
pwindell earned 168 total points
ID: 35071720
Well it is just like I said, I don't know how else to say it.  Technology based on web proxyig operates throughout all Layers of the OSI model (and above them) and is hence, more sophisticated and more capable, and one of its capabilities is user authentication.  However the other publishing methods are based on NAT,..Reverse NAT to be specific, and NAT only operates in Layers 1-3,...and if port translation (PAT) is added to that then you add Layer4,...but that is as far as it goes,...so user authentication is not possible.

Web proxying is based on the CERN Compliant Web Proxying Standards and NAT is,...well,...NAT is just NAT.  So these are industry standards,...not an "MS Thing".  So these things are-what-they-are.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35071747
Errrm, yeah - what 'he' said. Right on!
0
 
LVL 22

Expert Comment

by:Paka
ID: 35210560
Can't be done with current technology.  We have a very sharp MS Exchange engineer on staff and we opted for a smart card authenticated session through ISA to CAS, but have not found a way to validate via machine cert too.

Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go...
0
 

Author Comment

by:James-Heard
ID: 35239250
"Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go..."  This looks good, sadly some of our machines are still XP but we have planes to migrate to 7 shortly (also this only affects our laptops that will increasingly be on win7).  Thanks for the info Paka.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35503515
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data‚Ķ
This video discusses moving either the default database or any database to a new volume.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question