Solved

Restricting Outlook Anywhere to internal network

Posted on 2014-09-15
3
528 Views
Last Modified: 2014-09-16
I have two CAS/HT servers running Exchange 2007 SP3 Update Rollup 10 in the same site.  Only one of the CAS servers is accessible from the Internet and is used for OWA externally along with inbound/outbound email.  Currently Outlook Anywhere is disabled in our Exchange organization because we require two-factor authentication.  

To satisfy our two-factor needs with Outlook Anywhere, we plan to install a certificate on the client machine to be used for establishing a client VPN session with the corporate firewall (along with username/password).  Would it be best to enable Outlook Anywhere and use the internal host name of the other CAS server (not accessible from Internet) for Outlook Anywhere?  That way only clients with an internal IP address (and VPN clients) would be able to access it using the internal host name of the CAS server.  Does this sound like a good solution?  What is best practices for limiting Outlook Anywhere to internal clients that do not necessary have workstations that are part of the domain?
0
Comment
Question by:npdodge
3 Comments
 
LVL 3

Accepted Solution

by:
mrmark75 earned 500 total points
ID: 40324656
Your post is confusing or I'm just not understanding what you are doing.  The point of Outlook Anywhere is to be able to connect to exchange without the need to have a VPN connection. So if you disable Outlook Anywhere then the user will need a VPN connection to connect to exchange, and that's what is sounds like you want. Are you confusing Outlook Anywhere with Outlook Web Access here?
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 40324867
outlook anywhere is the default connection method once you hit exchange 2013 and was more prominent in 2013 vs using MAPI connections.

If you want to stop it connecting externally you could

- Set the external URL to one that is not resolvable outside of the internal network (doesn't have to be domain.local just no external DNS record)
or
- don't configure firewall rules to allow connections to outlook anywhere through (if you are using Outlook web access as the poster above talks about then you will have an issue as the function on the same ports)
0
 

Author Comment

by:npdodge
ID: 40325607
Thanks MrMark75 that makes completely sense.  We were so focused on Outlook Anywhere that we didn't think about that.  

Once we move to Exchange 2013, we will just leave the external URL blank.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now