Solved

Question on configuring EWS on Exchange 2010 SP1 at the org level

Posted on 2014-07-18
5
1,058 Views
Last Modified: 2014-07-18
Been reading up on how to block certain services using EWS. In particular, apps like Cloud Magic that enables users to sync email without using ActiveSync and now more recently the issue with LinkedIn where users can input their business logon credentials and upload contacts from Exchange. Why anyone would do this is beyond me but that's another discussion.

I am trying to implement a block on LinkedIn and I know there are a number of articles on how to do this. In fact, LinkedIn published their own article.

What is not clear to me and it differs with each article is how to configure the settings in EWS. If I run the command get-OrganizationConfig | fl *ews* I get the following:


 [PS] C:\>Get-OrganizationConfig |fl *ews*


 EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy :
 EwsAllowList               :
 EwsBlockList               :

As you can see, everything is blank so I assume blank equals default which equals enabled. As I am reading through articles, some say to set up filter for something like LinkedIn, you just configure EWSApplicationAccessPolicy to EnforceBlockList and EwsBlockList to "user agent"

For LinkedIn, this would be

EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

Then other articles say you need to set the remaining values to True so it looks like this

EwsEnabled                 : True
 EwsAllowOutlook            : True
 EwsAllowMacOutlook         : True
 EwsAllowEntourage          : True
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

So, which is it? Has anyone implemented EWS filtering at the global level? If so, which of the above did you do?

I plan on doing this at the mailbox level before moving to a global setting. Lastly, if you want to go back to default, how do you do this? I can set each value to $null but does that actually set it back to default?
0
Comment
Question by:shadowtuck
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204540
A best practice is to fill out both the block list and the allow list, and then test. If all works well, then move it up to the org level.

If you notice an issue, you are absolutely correctly - simply switch it to $NULL and everything will be allowed again. Whatever you do, do not set it to -EnforceApplicationAccessPolicy:EwsAlllowList and set NOTHING. That will block EVERYTHING.

Bad times, I had a case with that (EWS / Lync / Exchange) and it was a nightmare to actually find the culprit without a fiddler trace.
0
 

Author Comment

by:shadowtuck
ID: 40204560
Thanks. Appreciate the response but it did not get to the heart of the question here. First, I don't want to mess with the AllowList because then you have to start listing everything you want to allow access to. I only want to deal with the BlockList. In other words, allow everything except what is on the BlockList. Much easier to manage.

Having said that, I am still confused as to whether to set the other settings to $True to get this to work. Some have said if you set just the EnforceApplicationAccessPolicy:EWSBlockList and then set the value of EWSBlockList, it will not work. You have to also set the other values to $True as I indicated in my post which confuses me because they are already enabled to start with.
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40204580
Ok, sorry... I did catch the whole question.

By default EWS will allow anything. It is a best practice to either set the items above to $TRUE that you would like to allow through and then set the block list, or setting the block list and allow list. This way you know you are allowing those applications to connect, but at the same time you are forcing EWS to actually check the blocked list to make sure there are no other third party applications

The user agents one is a bit intensive, and I know it will block Lync from working. I would test intensively to make sure the user agents will not block other applications that you use that connect over EWS.

In the situation (limited, as I have never really seen anyone use this before except for one customer) is that they set it to use the Block List but did not set $TRUE to the other attributes, thus causing everything to get blocked. Furthermore, on there own troubleshooting spree they set it to use the allow list with no other applications set to $TRUE and this also broke it. Setting it back to $NULL will allow everything through.
0
 

Author Comment

by:shadowtuck
ID: 40204744
OK, that makes it clearer. From what you are saying then, if you do try to implement this, its best to set everything to $True from the blank state which is consistent with another blog I read. I have a test environment isolated from Prod that I can test this out.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204852
Ok sounds good - let me know how it goes and if you have any further or additional questions.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now