[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1117
  • Last Modified:

Exchange 2010 - Blocking OWA for CERTAIN users from the outside

Hello guys, we are an Exchange 2010 Shop with about 1200 mailboxes.
My question relates to our need to block OWA from the outside for a number of reasons and in certain scenarios.  Here we go.

1.  We have a need for a certain number of Generic accounts, and they need to use OWA from the inside since they do not have Office and the users float from PC to PC.  Outside the company, I would like to BLOCK OWA since these are generic accounts and the passwords do not change. So I need to block JUST these users on the outside.  These generics all begin with the same pattern b1***, B2***, etc if that helps.

2.  The second issue is related to our normal users using a web scraping app on their mobile phones.  There are apps that exist on iphone and android that allow you to have email on these devices (these apps screen scrape OWA) and make it look like a mail client for the phone. We want to block this, because the passwords get cached and no passcode lock is forced.  All of our mobile users SHOULD connect through our MDM/ActiveSync solution (MobileIron).  So for these OWA users that CAN get to OWA from the outside, I want to block these types of apps.

If i cannot get around these issues, I will have to shut OWA down for everyone from the outside.

Any help is appreciated.
Ryan
0
rabranstetter
Asked:
rabranstetter
  • 5
  • 3
1 Solution
 
LeeDerbyshireCommented:
1. No built-in way AFAIK, but I wrote this a while back:
http://www.leederbyshire.com/Articles/Block-Or-Allow-OWA-Depending-On-Location-2010.asp
0
 
rabranstetterAuthor Commented:
Lee, the link seems to be invalid
0
 
LeeDerbyshireCommented:
Can you try it again, please.  It's working now - perhaps I lost my connection for a short while.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
rabranstetterAuthor Commented:
If i can pattern match the excluded users, this is a solution for the first issue.
I would like to block anything beginning with b followed by a number, NOT coming from our private IP ranges.
0
 
LeeDerbyshireCommented:
Okay, I'm just off home now - I'll have a look again later.
0
 
LeeDerbyshireCommented:
Hello again.  Can you try this (it assumes your internal IP range is 192.168.x.x).  I've not had a chance to test it, so not 100% sure it will work yet.  BTW, second issue shouldn't be a problem.  Just needs some extra code.


<%
  string strIP = Request.ServerVariables["REMOTE_ADDR"];
  if(strIP.Substring(0, 8) != "192.168.")
  {
    string strUser = Request.ServerVariables["REMOTE_USER"];
    int p = strUser.IndexOf("\\");
    if(p != -1)
      strUser = strUser.Substring(p + 1);
    Boolean blnFound = false;
    string strChar1 = strUser.Substring(1, 1);
    string strChar2 = strUser.Substring(2, 1);
    if((strChar1 == "b") && ((strChar2 >= "0") && (strChar2 <= "9")))
      blnFound = true;
    if(blnFound)
    {
    Response.Write("Sorry, you are not allowed to access OWA from this location:" + strIP);
    Response.End();
    }
  }
%>
0
 
rabranstetterAuthor Commented:
Lee seems to have addressed my first issue, which is blocking certain users (generic accounts in my case) from using OWA from outside of our network.   I am awarding him credit and posting the second part of this in a different quesion in more detail.
0
 
LeeDerbyshireCommented:
Can you post here the URL of the new question?  If you don't get an answer that gives a built-in solution (and I don't think there is one), I'll come up with some more code like the above that should fix it for you.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now