Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Block Outlook anywhere for some computer

Posted on 2011-02-18
14
Medium Priority
?
1,651 Views
Last Modified: 2012-05-11
Hi,
I would like to block outlook anywhere for computers not added to our domain.  I believe there is no direct way of doing this?

I was wondering if there is a work around to this using a firewall like Forefront.  

I have found some solutions to block however all them also evolved block OWA as well and I would like to keep this open to all machines and only block Outlook anywhere to just domain Computer.

Help appreciated

Thanks,
James
0
Comment
Question by:James-Heard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 2

Expert Comment

by:wsewasim
ID: 34924985

Research on this

set-casmailbox -mapiblockoutlookrpcthhp:$true
you can do:
get-user | set-casmailbox -mapiblockoutlookrpcthhp:$true
which will kill all access, and then go back and to a $false for the two in question to allow them to use it.

http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx
0
 

Author Comment

by:James-Heard
ID: 34925011
Hi Wsewasim,  I may be mistaken but am fairly sure that this enables/disables by user.  I want all user to have access but only when on a domain/work owned PC.  The issue is people using outlook anywhere on machines not monitored/owned by my company
Thanks,
James
0
 
LVL 11

Expert Comment

by:MichaelVH
ID: 34925166
As far as I know, there is no 'easy' way to do this. If I'm correct an ISA-server should be able to do that for you.

(don't know about NAP/NAC though)
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 664 total points
ID: 34932326
ISA/Forefront would not - in this example - actually solve the issue. Both ISA/TMG operate at layer 3 or above and here youy are talking about machine identification. Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access.
0
 
LVL 11

Assisted Solution

by:MichaelVH
MichaelVH earned 664 total points
ID: 34932422
Keith,

if I'm correct you cannot use Client Certificates because Outlook can't handle 'em.

But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Grts,

Michael
0
 

Author Comment

by:James-Heard
ID: 34934820
I think I did see something about using certificates however belive the issue I had was that if Installed it on exchange server I could not work out how to make a requirment for outlook anywhere but not OWA as well.  

"Personally I would look at using certificates for this and ticking the box accordingly in the Anywhere Service set up. If the computer has a client computer certificate installed then it gets access."

Any further info you could give on the above or where I can find how to set this up would be good.  
Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35070904
But seems you're right on the ISA part, I thought it could "separate" non-domain-members as well; but seems I'm way off there.

Only web publishing (based on web proxying) can make decisions based on the user.  Server publishing (based on Reverse NAT) cannot.
0
 

Author Comment

by:James-Heard
ID: 35071600
Sorry Pwindell can you explain further?  How would I achinve want I am asking though ISA or anything else for that matter?  This must be possible to do using some combination of tools?
Thanks,
James
0
 
LVL 29

Accepted Solution

by:
pwindell earned 672 total points
ID: 35071720
Well it is just like I said, I don't know how else to say it.  Technology based on web proxyig operates throughout all Layers of the OSI model (and above them) and is hence, more sophisticated and more capable, and one of its capabilities is user authentication.  However the other publishing methods are based on NAT,..Reverse NAT to be specific, and NAT only operates in Layers 1-3,...and if port translation (PAT) is added to that then you add Layer4,...but that is as far as it goes,...so user authentication is not possible.

Web proxying is based on the CERN Compliant Web Proxying Standards and NAT is,...well,...NAT is just NAT.  So these are industry standards,...not an "MS Thing".  So these things are-what-they-are.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35071747
Errrm, yeah - what 'he' said. Right on!
0
 
LVL 22

Expert Comment

by:Paka
ID: 35210560
Can't be done with current technology.  We have a very sharp MS Exchange engineer on staff and we opted for a smart card authenticated session through ISA to CAS, but have not found a way to validate via machine cert too.

Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go...
0
 

Author Comment

by:James-Heard
ID: 35239250
"Have you looked at RRAS/SSTP or Direct Access.  If you're running W2008/W7 this is definitely the way to go..."  This looks good, sadly some of our machines are still XP but we have planes to migrate to 7 shortly (also this only affects our laptops that will increasingly be on win7).  Thanks for the info Paka.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35503515
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import Lotus Notes Contacts into Outlook 2016, 2013, 2010 and 2007 etc. with a few manual steps. You can easily export and migrate Lotus Notes contacts into Microsoft Outlook without having to use any third party tools.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question