• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1713
  • Last Modified:

control Outlook Anywhere with client certificate?

I currently have Exchange 2007 with Outlook Anywhere enabled.  I will be moving to Exchange 2010 soon.

The problem I have with Outlook Anywhere is that I don't know of a way to control which PCs are able to download a user's mailbox.  If a user knows how to setup Outlook, they can go to any computer on the internet that has Outlook installed and set it up to connect to the server running Outlook Anywhere.

I heard somewhere that it's possible to setup a client certificate, such that only the clients that have this certificate will be allowed to interract with the Exchange server through Outlook Anywhere.

Is this true?  If not, is there some way to control which computers can use Outlook Anywhere?
I know how to enable/disable it for individual users, but I also need to control which computers they are allowed to use it on.

1 Solution
when u configure outlook do the  fooling account setting>change account>More Setting>Advance>delivery-remove the check from, Leave a copy.  
Neil RussellTechnical Development LeadCommented:
Neil RussellTechnical Development LeadCommented:
Certificate-Based Authentication
Certificate-based authentication uses a digital certificate to verify an identity. Other credentials are provided, in addition to the user name and password. These prove the identity of the user who's trying to access the mailbox resources that are stored on the Exchange 2010 server. A digital certificate consists of two components: the private key that's stored on the device and the public key that's installed on the server. If you configure Exchange 2010 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2010:

The device has a valid client certificate installed that was created for user authentication.

The device has a trusted root certificate for the server to which the user is connecting to establish the SSL connection.

Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange 2010. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Windows XP or the Windows Mobile Device Center in Windows Vista or Windows 7.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

The concept is correct but it doesn't work with outlook anywhere since outlook cannot cope with any kind of prompt
Neil RussellTechnical Development LeadCommented:
Ah my bad!! ANYWHERE not OWA :(

In that case, depending on the size of the org your working for you could go with a proper access solution. We use a SonicWALL SRA EX7000 for all remote access and this allows you tie remote access down in what ever manner you want near enough. From limiting access to users who are only logged into a certain domain/account on the remote machine to client that have a specific file in a specific folder on the remote machine.

As you are limiting it to ONLY known clients by the sound of it then I would say a solution like this is far more in order what you need anyway.

Not cheap :P

luchianoduckmanAuthor Commented:
We ended up doing this using Microsoft TMG, Cisco Secure ACS, and a combination of Group Policy and client certificates.  The certificate gets deployed on domain member machines.  TMG validates the certificate.  ACS checks to see if the remote machine AND user are members of the required groups in AD.  If all criteria match, YEEE HAWWWW!!  Access is granted.
luchianoduckmanAuthor Commented:
None of the proposed comments gave a solution.  The solution I followed was completely different.  I wanted to share it with others in case this question comes up in the future.
Hardik DesaiCommented:
Can you please share the resolution? i need to deploy this in my environment.


Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now