Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Question on configuring EWS on Exchange 2010 SP1 at the org level

Posted on 2014-07-18
5
Medium Priority
?
1,318 Views
Last Modified: 2014-07-18
Been reading up on how to block certain services using EWS. In particular, apps like Cloud Magic that enables users to sync email without using ActiveSync and now more recently the issue with LinkedIn where users can input their business logon credentials and upload contacts from Exchange. Why anyone would do this is beyond me but that's another discussion.

I am trying to implement a block on LinkedIn and I know there are a number of articles on how to do this. In fact, LinkedIn published their own article.

What is not clear to me and it differs with each article is how to configure the settings in EWS. If I run the command get-OrganizationConfig | fl *ews* I get the following:


 [PS] C:\>Get-OrganizationConfig |fl *ews*


 EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy :
 EwsAllowList               :
 EwsBlockList               :

As you can see, everything is blank so I assume blank equals default which equals enabled. As I am reading through articles, some say to set up filter for something like LinkedIn, you just configure EWSApplicationAccessPolicy to EnforceBlockList and EwsBlockList to "user agent"

For LinkedIn, this would be

EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

Then other articles say you need to set the remaining values to True so it looks like this

EwsEnabled                 : True
 EwsAllowOutlook            : True
 EwsAllowMacOutlook         : True
 EwsAllowEntourage          : True
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

So, which is it? Has anyone implemented EWS filtering at the global level? If so, which of the above did you do?

I plan on doing this at the mailbox level before moving to a global setting. Lastly, if you want to go back to default, how do you do this? I can set each value to $null but does that actually set it back to default?
0
Comment
Question by:shadowtuck
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204540
A best practice is to fill out both the block list and the allow list, and then test. If all works well, then move it up to the org level.

If you notice an issue, you are absolutely correctly - simply switch it to $NULL and everything will be allowed again. Whatever you do, do not set it to -EnforceApplicationAccessPolicy:EwsAlllowList and set NOTHING. That will block EVERYTHING.

Bad times, I had a case with that (EWS / Lync / Exchange) and it was a nightmare to actually find the culprit without a fiddler trace.
0
 

Author Comment

by:shadowtuck
ID: 40204560
Thanks. Appreciate the response but it did not get to the heart of the question here. First, I don't want to mess with the AllowList because then you have to start listing everything you want to allow access to. I only want to deal with the BlockList. In other words, allow everything except what is on the BlockList. Much easier to manage.

Having said that, I am still confused as to whether to set the other settings to $True to get this to work. Some have said if you set just the EnforceApplicationAccessPolicy:EWSBlockList and then set the value of EWSBlockList, it will not work. You have to also set the other values to $True as I indicated in my post which confuses me because they are already enabled to start with.
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 1500 total points
ID: 40204580
Ok, sorry... I did catch the whole question.

By default EWS will allow anything. It is a best practice to either set the items above to $TRUE that you would like to allow through and then set the block list, or setting the block list and allow list. This way you know you are allowing those applications to connect, but at the same time you are forcing EWS to actually check the blocked list to make sure there are no other third party applications

The user agents one is a bit intensive, and I know it will block Lync from working. I would test intensively to make sure the user agents will not block other applications that you use that connect over EWS.

In the situation (limited, as I have never really seen anyone use this before except for one customer) is that they set it to use the Block List but did not set $TRUE to the other attributes, thus causing everything to get blocked. Furthermore, on there own troubleshooting spree they set it to use the allow list with no other applications set to $TRUE and this also broke it. Setting it back to $NULL will allow everything through.
0
 

Author Comment

by:shadowtuck
ID: 40204744
OK, that makes it clearer. From what you are saying then, if you do try to implement this, its best to set everything to $True from the blank state which is consistent with another blog I read. I have a test environment isolated from Prod that I can test this out.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204852
Ok sounds good - let me know how it goes and if you have any further or additional questions.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question