I have two CAS/HT servers running Exchange 2007 SP3 Update Rollup 10 in the same site. Only one of the CAS servers is accessible from the Internet and is used for OWA externally along with inbound/outbound email. Currently Outlook Anywhere is disabled in our Exchange organization because we require two-factor authentication.
To satisfy our two-factor needs with Outlook Anywhere, we plan to install a certificate on the client machine to be used for establishing a client VPN session with the corporate firewall (along with username/password). Would it be best to enable Outlook Anywhere and use the internal host name of the other CAS server (not accessible from Internet) for Outlook Anywhere? That way only clients with an internal IP address (and VPN clients) would be able to access it using the internal host name of the CAS server. Does this sound like a good solution? What is best practices for limiting Outlook Anywhere to internal clients that do not necessary have workstations that are part of the domain?