Solved

Block Outlook anywhere for some computer

Posted on 2011-02-18
14
1,605 Views
Last Modified: 2012-05-11
Hi,
I would like to block outlook anywhere for computers not added to our domain.  I believe there is no direct way of doing this?

I was wondering if there is a work around to this using a firewall like Forefront.  

I have found some solutions to block however all them also evolved block OWA as well and I would like to keep this open to all machines and only block Outlook anywhere to just domain Computer.

Help appreciated

Thanks,
James
0
Comment
Question by:James-Heard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 2

Expert Comment

by:wsewasim
ID: 34924985

Research on this

set-casmailbox -mapiblockoutlookrpcthhp:$true
you can do:
get-user | set-casmailbox -mapiblockoutlookrpcthhp:$true
which will kill all access, and then go back and to a $false for the two in question to allow them to use it.

http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx
0
 

Author Comment

by:James-Heard
ID: 34925011
Hi Wsewasim,  I may be mistaken but am fairly sure that this enables/disables by user.  I want all user to have access but only when on a domain/work owned PC.  The issue is people using outlook anywhere on machines not monitored/owned by my company
Thanks,
James
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 34925166
As far as I know, there is no 'easy' way to do this. If I'm correct an ISA-server should be able to do that for you.

(don't know about NAP/NAC though)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 166 total points
ID: 34932326
ISA/Forefront would not - in this example - actually solve the issue. Both ISA/TMG operate at layer 3 or above and here youy are talking about machine identification. Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access.
0
 
LVL 11

Assisted Solution

by:MichaelVH
MichaelVH earned 166 total points
ID: 34932422
Keith,

if I'm correct you cannot use Client Certificates because Outlook can't handle 'em.

But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Grts,

Michael
0
 

Author Comment

by:James-Heard
ID: 34934820
I think I did see something about using certificates however belive the issue I had was that if Installed it on exchange server I could not work out how to make a requirment for outlook anywhere but not OWA as well.  

"Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access."

Any further info you could give on the above or where I can find how to set this up would be good.  
Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35070904
But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Only web publishing (based on web proxying) can make decisions based on the user.  Server publishing (based on Reverse NAT) cannot.
0
 

Author Comment

by:James-Heard
ID: 35071600
Sorry Pwindell can you explain further?  How would I achinve want I am asking though ISA or anything else for that matter?  This must be possible to do using some combination of tools?
Thanks,
James
0
 
LVL 29

Accepted Solution

by:
pwindell earned 168 total points
ID: 35071720
Well it is just like I said, I don't know how else to say it.  Technology based on web proxyig operates throughout all Layers of the OSI model (and above them) and is hence, more sophisticated and more capable, and one of its capabilities is user authentication.  However the other publishing methods are based on NAT,..Reverse NAT to be specific, and NAT only operates in Layers 1-3,...and if port translation (PAT) is added to that then you add Layer4,...but that is as far as it goes,...so user authentication is not possible.

Web proxying is based on the CERN Compliant Web Proxying Standards and NAT is,...well,...NAT is just NAT.  So these are industry standards,...not an "MS Thing".  So these things are-what-they-are.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35071747
Errrm, yeah - what 'he' said. Right on!
0
 
LVL 22

Expert Comment

by:Paka
ID: 35210560
Can't be done with current technology.  We have a very sharp MS Exchange engineer on staff and we opted for a smart card authenticated session through ISA to CAS, but have not found a way to validate via machine cert too.

Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go...
0
 

Author Comment

by:James-Heard
ID: 35239250
"Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go..."  This looks good, sadly some of our machines are still XP but we have planes to migrate to 7 shortly (also this only affects our laptops that will increasingly be on win7).  Thanks for the info Paka.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35503515
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question