Solved

Question on configuring EWS on Exchange 2010 SP1 at the org level

Posted on 2014-07-18
5
1,166 Views
Last Modified: 2014-07-18
Been reading up on how to block certain services using EWS. In particular, apps like Cloud Magic that enables users to sync email without using ActiveSync and now more recently the issue with LinkedIn where users can input their business logon credentials and upload contacts from Exchange. Why anyone would do this is beyond me but that's another discussion.

I am trying to implement a block on LinkedIn and I know there are a number of articles on how to do this. In fact, LinkedIn published their own article.

What is not clear to me and it differs with each article is how to configure the settings in EWS. If I run the command get-OrganizationConfig | fl *ews* I get the following:


 [PS] C:\>Get-OrganizationConfig |fl *ews*


 EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy :
 EwsAllowList               :
 EwsBlockList               :

As you can see, everything is blank so I assume blank equals default which equals enabled. As I am reading through articles, some say to set up filter for something like LinkedIn, you just configure EWSApplicationAccessPolicy to EnforceBlockList and EwsBlockList to "user agent"

For LinkedIn, this would be

EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

Then other articles say you need to set the remaining values to True so it looks like this

EwsEnabled                 : True
 EwsAllowOutlook            : True
 EwsAllowMacOutlook         : True
 EwsAllowEntourage          : True
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

So, which is it? Has anyone implemented EWS filtering at the global level? If so, which of the above did you do?

I plan on doing this at the mailbox level before moving to a global setting. Lastly, if you want to go back to default, how do you do this? I can set each value to $null but does that actually set it back to default?
0
Comment
Question by:shadowtuck
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204540
A best practice is to fill out both the block list and the allow list, and then test. If all works well, then move it up to the org level.

If you notice an issue, you are absolutely correctly - simply switch it to $NULL and everything will be allowed again. Whatever you do, do not set it to -EnforceApplicationAccessPolicy:EwsAlllowList and set NOTHING. That will block EVERYTHING.

Bad times, I had a case with that (EWS / Lync / Exchange) and it was a nightmare to actually find the culprit without a fiddler trace.
0
 

Author Comment

by:shadowtuck
ID: 40204560
Thanks. Appreciate the response but it did not get to the heart of the question here. First, I don't want to mess with the AllowList because then you have to start listing everything you want to allow access to. I only want to deal with the BlockList. In other words, allow everything except what is on the BlockList. Much easier to manage.

Having said that, I am still confused as to whether to set the other settings to $True to get this to work. Some have said if you set just the EnforceApplicationAccessPolicy:EWSBlockList and then set the value of EWSBlockList, it will not work. You have to also set the other values to $True as I indicated in my post which confuses me because they are already enabled to start with.
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40204580
Ok, sorry... I did catch the whole question.

By default EWS will allow anything. It is a best practice to either set the items above to $TRUE that you would like to allow through and then set the block list, or setting the block list and allow list. This way you know you are allowing those applications to connect, but at the same time you are forcing EWS to actually check the blocked list to make sure there are no other third party applications

The user agents one is a bit intensive, and I know it will block Lync from working. I would test intensively to make sure the user agents will not block other applications that you use that connect over EWS.

In the situation (limited, as I have never really seen anyone use this before except for one customer) is that they set it to use the Block List but did not set $TRUE to the other attributes, thus causing everything to get blocked. Furthermore, on there own troubleshooting spree they set it to use the allow list with no other applications set to $TRUE and this also broke it. Setting it back to $NULL will allow everything through.
0
 

Author Comment

by:shadowtuck
ID: 40204744
OK, that makes it clearer. From what you are saying then, if you do try to implement this, its best to set everything to $True from the blank state which is consistent with another blog I read. I have a test environment isolated from Prod that I can test this out.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40204852
Ok sounds good - let me know how it goes and if you have any further or additional questions.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question