Question on configuring EWS on Exchange 2010 SP1 at the org level

Been reading up on how to block certain services using EWS. In particular, apps like Cloud Magic that enables users to sync email without using ActiveSync and now more recently the issue with LinkedIn where users can input their business logon credentials and upload contacts from Exchange. Why anyone would do this is beyond me but that's another discussion.

I am trying to implement a block on LinkedIn and I know there are a number of articles on how to do this. In fact, LinkedIn published their own article.

What is not clear to me and it differs with each article is how to configure the settings in EWS. If I run the command get-OrganizationConfig | fl *ews* I get the following:


 [PS] C:\>Get-OrganizationConfig |fl *ews*


 EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy :
 EwsAllowList               :
 EwsBlockList               :

As you can see, everything is blank so I assume blank equals default which equals enabled. As I am reading through articles, some say to set up filter for something like LinkedIn, you just configure EWSApplicationAccessPolicy to EnforceBlockList and EwsBlockList to "user agent"

For LinkedIn, this would be

EwsEnabled                 :
 EwsAllowOutlook            :
 EwsAllowMacOutlook         :
 EwsAllowEntourage          :
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

Then other articles say you need to set the remaining values to True so it looks like this

EwsEnabled                 : True
 EwsAllowOutlook            : True
 EwsAllowMacOutlook         : True
 EwsAllowEntourage          : True
 EwsApplicationAccessPolicy : EnforceBlockList
 EwsAllowList               :
 EwsBlockList               : LinkedInEws

So, which is it? Has anyone implemented EWS filtering at the global level? If so, which of the above did you do?

I plan on doing this at the mailbox level before moving to a global setting. Lastly, if you want to go back to default, how do you do this? I can set each value to $null but does that actually set it back to default?
shadowtuckAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam FarageEnterprise ArchCommented:
A best practice is to fill out both the block list and the allow list, and then test. If all works well, then move it up to the org level.

If you notice an issue, you are absolutely correctly - simply switch it to $NULL and everything will be allowed again. Whatever you do, do not set it to -EnforceApplicationAccessPolicy:EwsAlllowList and set NOTHING. That will block EVERYTHING.

Bad times, I had a case with that (EWS / Lync / Exchange) and it was a nightmare to actually find the culprit without a fiddler trace.
0
shadowtuckAuthor Commented:
Thanks. Appreciate the response but it did not get to the heart of the question here. First, I don't want to mess with the AllowList because then you have to start listing everything you want to allow access to. I only want to deal with the BlockList. In other words, allow everything except what is on the BlockList. Much easier to manage.

Having said that, I am still confused as to whether to set the other settings to $True to get this to work. Some have said if you set just the EnforceApplicationAccessPolicy:EWSBlockList and then set the value of EWSBlockList, it will not work. You have to also set the other values to $True as I indicated in my post which confuses me because they are already enabled to start with.
0
Adam FarageEnterprise ArchCommented:
Ok, sorry... I did catch the whole question.

By default EWS will allow anything. It is a best practice to either set the items above to $TRUE that you would like to allow through and then set the block list, or setting the block list and allow list. This way you know you are allowing those applications to connect, but at the same time you are forcing EWS to actually check the blocked list to make sure there are no other third party applications

The user agents one is a bit intensive, and I know it will block Lync from working. I would test intensively to make sure the user agents will not block other applications that you use that connect over EWS.

In the situation (limited, as I have never really seen anyone use this before except for one customer) is that they set it to use the Block List but did not set $TRUE to the other attributes, thus causing everything to get blocked. Furthermore, on there own troubleshooting spree they set it to use the allow list with no other applications set to $TRUE and this also broke it. Setting it back to $NULL will allow everything through.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shadowtuckAuthor Commented:
OK, that makes it clearer. From what you are saying then, if you do try to implement this, its best to set everything to $True from the blank state which is consistent with another blog I read. I have a test environment isolated from Prod that I can test this out.
0
Adam FarageEnterprise ArchCommented:
Ok sounds good - let me know how it goes and if you have any further or additional questions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.