control Outlook Anywhere with client certificate?

Posted on 2011-10-05
Last Modified: 2014-02-08
I currently have Exchange 2007 with Outlook Anywhere enabled.  I will be moving to Exchange 2010 soon.

The problem I have with Outlook Anywhere is that I don't know of a way to control which PCs are able to download a user's mailbox.  If a user knows how to setup Outlook, they can go to any computer on the internet that has Outlook installed and set it up to connect to the server running Outlook Anywhere.

I heard somewhere that it's possible to setup a client certificate, such that only the clients that have this certificate will be allowed to interract with the Exchange server through Outlook Anywhere.

Is this true?  If not, is there some way to control which computers can use Outlook Anywhere?
I know how to enable/disable it for individual users, but I also need to control which computers they are allowed to use it on.

Question by:luchianoduckman
    LVL 1

    Expert Comment

    when u configure outlook do the  fooling account setting>change account>More Setting>Advance>delivery-remove the check from, Leave a copy.  
    LVL 37

    Expert Comment

    LVL 37

    Expert Comment

    Certificate-Based Authentication
    Certificate-based authentication uses a digital certificate to verify an identity. Other credentials are provided, in addition to the user name and password. These prove the identity of the user who's trying to access the mailbox resources that are stored on the Exchange 2010 server. A digital certificate consists of two components: the private key that's stored on the device and the public key that's installed on the server. If you configure Exchange 2010 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2010:

    The device has a valid client certificate installed that was created for user authentication.

    The device has a trusted root certificate for the server to which the user is connecting to establish the SSL connection.

    Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange 2010. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Windows XP or the Windows Mobile Device Center in Windows Vista or Windows 7.

    LVL 49

    Expert Comment

    The concept is correct but it doesn't work with outlook anywhere since outlook cannot cope with any kind of prompt
    LVL 37

    Expert Comment

    Ah my bad!! ANYWHERE not OWA :(

    In that case, depending on the size of the org your working for you could go with a proper access solution. We use a SonicWALL SRA EX7000 for all remote access and this allows you tie remote access down in what ever manner you want near enough. From limiting access to users who are only logged into a certain domain/account on the remote machine to client that have a specific file in a specific folder on the remote machine.

    As you are limiting it to ONLY known clients by the sound of it then I would say a solution like this is far more in order what you need anyway.

    Not cheap :P


    Accepted Solution

    We ended up doing this using Microsoft TMG, Cisco Secure ACS, and a combination of Group Policy and client certificates.  The certificate gets deployed on domain member machines.  TMG validates the certificate.  ACS checks to see if the remote machine AND user are members of the required groups in AD.  If all criteria match, YEEE HAWWWW!!  Access is granted.

    Author Closing Comment

    None of the proposed comments gave a solution.  The solution I followed was completely different.  I wanted to share it with others in case this question comes up in the future.
    LVL 2

    Expert Comment

    by:Hardik Desai
    Can you please share the resolution? i need to deploy this in my environment.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now