Restrict External Access to OWA

Is there a simple way to limit external access to OWA (to only a few managers) while still allowing internal access to OWA to all users in the organization. The way we do it now is to allow certain managers to vpn in, and then access their email via OWA. But the powers that be want the managers to be able to access OWA from inet without having to vpn.
(they do not want to utilize Outlook Anywhere, so please don't ask why we don't use Outlook Anywhere)
I figured something like create a security group consisting of specific managers, then stick a statement in isa. But that is where I am stumped. Any help would be sincerely appreciated.
And as always, I would like to say thanks to all of the techs that take the time to help hapless people like myself.
harold mcmullennetwork techAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Ya, it is possible, however  you need to invest in 3rd party tool like Entrust. You can use Entrust card to limit the access to user, who can access OWA from External or not. Please don't ask for free solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harold mcmullennetwork techAuthor Commented:
well actually, that is what I am looking for is a free solution. i already know that there are 3rd party solutions. i should have mentioned that in my question. but thanks Amit for taking the time to respond.
AmitIT ArchitectCommented:
Ya, I know, however Until Microsoft give such option in Exchange. The only way left is to use 3rd party tool. Also note, whenever user is accessing from Internet, you should always look for tool which is tested and used by many org.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

What version of Exchange are you using?
In 2007 and 2010, you can edit the mailbox features to disable OWA access in mailbox properties.
harold mcmullennetwork techAuthor Commented:
-i want everyone on the inside to be able to access OWA. (disabling OWA in mailbox properties disables access from inside also)
- Select managers should have the ability to go to internet, type in and be able to access their OWA. (But only select managers, not the rest of the staff)
AmitIT ArchitectCommented:

I assume, I answered your question already. Are you still looking for any other suggestion.
I must have misread something.  Exchange isn't part of the OS, so GPO doesn't really apply.  There has to be a 3rd party tool to allow that.  Are the restrictions for after hours or weekend reasons?

If so, you can restrict logon hours for users you don't want in OWA.  

Other option is to turn off (firewall) OWA from outside the building, and setup VPN for select users and managers.
harold mcmullennetwork techAuthor Commented:
I do appreciate answers, but let me reiterate: the people in charge do not want staff to use a VPN.  (do not ask why)
It has nothing to do with LOGON TIMES.

Without utilizing 3rd party vendors, I want to know if there is a way to allow a security group (say with 8 users), access to OWA from OUTSIDE of our organization. (no matter what time of day, or what location they are at as long as they are not connecting from our LAN. So one person can be in Chicago, another in Timbuktu and they can access OWA. (but not by VPN) (and ONLY those 8 staff users) But anybody that is not in the security group, CANNOT access OWA from OUTSIDE our organization. (but if they are in the building and connected to our LAN, then yes, they can access OWA and Outlook for that matter!)
AMIT, I appreciate your input, but no, you really did not answer my question.

I actually have a solution, but I wanted to see if there were any other solutions. By adding a piece of code to the OWA  "startpage" on exchange server (C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\forms\premium (and basic) , this can be done.

I will leave this question up for a couple of more days to see if anybody knows of a different way.
Adding code to the start page is a 3rd party solution...
AmitIT ArchitectCommented:
I will be interested to know that coding solution.
That makes 2 of us.
harold mcmullennetwork techAuthor Commented:
I will give you both 250 points for at least taking time to help, but I do not feel you "answered" my question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.