• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1673
  • Last Modified:

Block Outlook anywhere for some computer

Hi,
I would like to block outlook anywhere for computers not added to our domain.  I believe there is no direct way of doing this?

I was wondering if there is a work around to this using a firewall like Forefront.  

I have found some solutions to block however all them also evolved block OWA as well and I would like to keep this open to all machines and only block Outlook anywhere to just domain Computer.

Help appreciated

Thanks,
James
0
James-Heard
Asked:
James-Heard
  • 4
  • 2
  • 2
  • +4
3 Solutions
 
wsewasimCommented:

Research on this

set-casmailbox -mapiblockoutlookrpcthhp:$true
you can do:
get-user | set-casmailbox -mapiblockoutlookrpcthhp:$true
which will kill all access, and then go back and to a $false for the two in question to allow them to use it.

http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx
0
 
James-HeardAuthor Commented:
Hi Wsewasim,  I may be mistaken but am fairly sure that this enables/disables by user.  I want all user to have access but only when on a domain/work owned PC.  The issue is people using outlook anywhere on machines not monitored/owned by my company
Thanks,
James
0
 
MichaelVHCommented:
As far as I know, there is no 'easy' way to do this. If I'm correct an ISA-server should be able to do that for you.

(don't know about NAP/NAC though)
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Keith AlabasterEnterprise ArchitectCommented:
ISA/Forefront would not - in this example - actually solve the issue. Both ISA/TMG operate at layer 3 or above and here youy are talking about machine identification. Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access.
0
 
MichaelVHCommented:
Keith,

if I'm correct you cannot use Client Certificates because Outlook can't handle 'em.

But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Grts,

Michael
0
 
James-HeardAuthor Commented:
I think I did see something about using certificates however belive the issue I had was that if Installed it on exchange server I could not work out how to make a requirment for outlook anywhere but not OWA as well.  

"Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access."

Any further info you could give on the above or where I can find how to set this up would be good.  
Thanks
0
 
pwindellCommented:
But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Only web publishing (based on web proxying) can make decisions based on the user.  Server publishing (based on Reverse NAT) cannot.
0
 
James-HeardAuthor Commented:
Sorry Pwindell can you explain further?  How would I achinve want I am asking though ISA or anything else for that matter?  This must be possible to do using some combination of tools?
Thanks,
James
0
 
pwindellCommented:
Well it is just like I said, I don't know how else to say it.  Technology based on web proxyig operates throughout all Layers of the OSI model (and above them) and is hence, more sophisticated and more capable, and one of its capabilities is user authentication.  However the other publishing methods are based on NAT,..Reverse NAT to be specific, and NAT only operates in Layers 1-3,...and if port translation (PAT) is added to that then you add Layer4,...but that is as far as it goes,...so user authentication is not possible.

Web proxying is based on the CERN Compliant Web Proxying Standards and NAT is,...well,...NAT is just NAT.  So these are industry standards,...not an "MS Thing".  So these things are-what-they-are.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Errrm, yeah - what 'he' said. Right on!
0
 
PakaCommented:
Can't be done with current technology.  We have a very sharp MS Exchange engineer on staff and we opted for a smart card authenticated session through ISA to CAS, but have not found a way to validate via machine cert too.

Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go...
0
 
James-HeardAuthor Commented:
"Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go..."  This looks good, sadly some of our machines are still XP but we have planes to migrate to 7 shortly (also this only affects our laptops that will increasingly be on win7).  Thanks for the info Paka.
0
 
Glen KnightCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now