Restricting Outlook Anywhere to internal network

I have two CAS/HT servers running Exchange 2007 SP3 Update Rollup 10 in the same site.  Only one of the CAS servers is accessible from the Internet and is used for OWA externally along with inbound/outbound email.  Currently Outlook Anywhere is disabled in our Exchange organization because we require two-factor authentication.  

To satisfy our two-factor needs with Outlook Anywhere, we plan to install a certificate on the client machine to be used for establishing a client VPN session with the corporate firewall (along with username/password).  Would it be best to enable Outlook Anywhere and use the internal host name of the other CAS server (not accessible from Internet) for Outlook Anywhere?  That way only clients with an internal IP address (and VPN clients) would be able to access it using the internal host name of the CAS server.  Does this sound like a good solution?  What is best practices for limiting Outlook Anywhere to internal clients that do not necessary have workstations that are part of the domain?
npdodgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mrmark75Commented:
Your post is confusing or I'm just not understanding what you are doing.  The point of Outlook Anywhere is to be able to connect to exchange without the need to have a VPN connection. So if you disable Outlook Anywhere then the user will need a VPN connection to connect to exchange, and that's what is sounds like you want. Are you confusing Outlook Anywhere with Outlook Web Access here?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisCommented:
outlook anywhere is the default connection method once you hit exchange 2013 and was more prominent in 2013 vs using MAPI connections.

If you want to stop it connecting externally you could

- Set the external URL to one that is not resolvable outside of the internal network (doesn't have to be domain.local just no external DNS record)
or
- don't configure firewall rules to allow connections to outlook anywhere through (if you are using Outlook web access as the poster above talks about then you will have an issue as the function on the same ports)
0
npdodgeAuthor Commented:
Thanks MrMark75 that makes completely sense.  We were so focused on Outlook Anywhere that we didn't think about that.  

Once we move to Exchange 2013, we will just leave the external URL blank.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.