Exchange 2013 - restrict remote connections based on certificate

I have 4 Exchange Servers,  2 front end CAS Servers and 2 MBX servers.  All is up and has been running great for 14 months now.   I'm wanting to be able to manage what machines have remote access to exchange, Active Sync etc to prevent unauthorized or personal desktops from simply using the autodiscover service to connect to exchange.

 I'm seeing a lot about certificate based authentication which could be nice but what i would really like to do is generate a certificate from my domain controller and have Exchange simply check for this private certificate.   If the certificate is present on the desktop or mobile device users can still connect with their domain credentials just like they do today.   I can deploy this generated certificate to my mobile devices and laptops easily.   Can anyone get me started in the right direction to accomplish this?

Thank You,
DeltaMNAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carol ChisholmCommented:
I'd suggest using Web Application Proxy, the reverse proxy built into Server 2012 R2.
It's easy to configure.
Ideally you would do ADFS and Device Registration, which givey you really fine control but you can just do certificate based authentication:

Here are some the TechNet links:
http://technet.microsoft.com/en-us/library/dn280942.aspx
http://technet.microsoft.com/en-us/library/dn584098.aspx

Here's a link about doing fine grained authentication:
http://blog.auth360.net/category/web-application-proxy/

Here is one on SharePoint, but it's much the same thing
http://www.brightstarr.com/sharepoint-technology-and-application-insights/securely-publishing-sharepoint-externally-using-web-application-proxy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DeltaMNAuthor Commented:
Thank you for the direction.   I wasnt sure if i could require a certificate from the CAS Servers activesync website.  The Web Application Proxy sounds like a good solution, i'm going to leave this post opened and hopefully i get some additional ideas before i start investing my time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.