Block External Outlook Web Access only for few users


We are using 4 Exchange 2010 Multi Role Servers with F5 Load balancer for OWA access from outside.
Right now OWA is accessible from Inside and outside environment for all users.
As per our client he have a requirement to "Disable the External OWA access for only few users and only during weekends" . There should be no impact to Internal OWA access for these users.
Let me explain the condition once again
1) Disable External OWA access
2) Only for few users
3) Only During Weekend and
4) No impact to Internal OWA access for these users

Is there any way to do it using Exchange 2010 or F5 or TMG and how feasible is that to deploy?

Thanks in advance for your help.
parv kumarengineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
There is no easy or built-in way to block OWA external access only for few users.
Please check this as a work around
yo_beeDirector of Information TechnologyCommented:
I am not sure if there is a setting, but you can script it with PowerShell and schedule the script to run at the time you want.  I do not think you can control from exchange to allow internal, but not external.  It is on or off for this feature.

I would create a group in AD and add the users you need to restrict.
From there combined both AD Powershell and Exchange PowerShell.

You will need two scripts one to disable for the weekend the other to enable.
I tested this and it worked, but it did force me to re-authenticate to my Outlook App.  I am not using the native Mail App.

This should be run from your CAS Server.
Import-module ActiveDirectory

Get-PSSnapin -Registered | Add-PSSnapin

Get-ADGroupMember -Identity <GroupName>  | %{Set-CASMailbox -Identity $_.sAMAccountName -ActiveSyncEnabled $False}

Open in new window

Import-module ActiveDirectory

Get-PSSnapin -Registered | Add-PSSnapin

Get-ADGroupMember -Identity <GroupName>  | %{Set-CASMailbox -Identity $_.sAMAccountName -ActiveSyncEnabled $True}

Open in new window

Once created open Task Scheduler and create two task to run at the time you wish to disable and enable.  Remember that you need to use powershell.exe with the argument <Script file Path>


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
parv kumarengineerAuthor Commented:
Thanks MAS and yo_bee for your prompt response.

I am really not good with changing the .aspx code as per my requirement.
And yes, as per my understanding yo_bee from Exchange its either ON or OFF .
I have TMG and F5 in my environment so, if not from Exchange is there any other way to do from F5 Loadbalancer or TMG?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

yo_beeDirector of Information TechnologyCommented:
I have never used TMG or F5 so there is not much I can say on them.

MASEE Solution Guide - Technical Dept HeadCommented:
Even F5 doesn't have such feature.  I am not sure about TMG.
Amit KumarCommented:
even in TMG you won't be able to do such things. as OWA publishing rule does not work properly on AD group wise. I tried to configure it many times but does not work but when we add All users then it works. by default Exchange has feature to enable/disable OWA from internal and External. No way to block on from external. May be there are third paty applications those are actually support such features.. but no awareness as of now.
yo_beeDirector of Information TechnologyCommented:
From what others are posting it looks like  all or nothing.

Just out of curiosity why do u need to restrict external access, but still allow them to access internally?

I would figure that if you are restricting access over the weekend for this set group of users there would be no need for them to be in the office and have access?
parv kumarengineerAuthor Commented:
yo_bee, I am also curious . But that's the client,'s requirement.
yo_beeDirector of Information TechnologyCommented:
Have you inquired or just said let me see?
parv kumarengineerAuthor Commented:
Hi yo_bee, honestly speaking this question did not come to my mind that time. But I have shared the alternate solutions suggested by you and MAS.
Thank you for your help..
yo_beeDirector of Information TechnologyCommented:
You will still need to script the adding remove of the group membership for scheduling.
parv kumarengineerAuthor Commented:
Yes, I would. Thanks  a lot for your help yo_bee
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.