Create a GPO that allows only email access via Office 365

How do I create a GPO in Windows server 2008 that would allow users to only access email from hosted exchange via Office 365.  I dont want them to be able to surf websites.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michal ZiembaIT AdministratorCommented:
First of all get familiar with this document: Office 365 URLs and IP address ranges
Based on this you can build some firewall rules to allow users to access Office 365 services.
And in this article you can find some details how to build Firewall rules using Group Policy: Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
Rob KnightConsultantCommented:

Are your users using laptops and mobile or desktops and Office based on a LAN?

You'll need to determine where this will happen - if it's on the LAN network, then your router/firewall/proxy should be configured to do this. Rather than the devices themselves.

For when they are mobile, you'll need to create some GPOs which apply to the public/private firewall profiles - Domain will be enabled if the devices can authenticate to a Domain controller. However, be aware that changes to these will impact the endpoints ability to authenticate so your firewall rules will need to be configured carefully.

You will need to change the default allow Oubound All policy on the private/public firewall policy to Block, Except.

Your outbound rules will need to include:

DHCP - ability to get an IP address
DNS resolution - to resolve hosts etc.
LSASS to your DCs for Kerberos and LDAP
NCSI - to detect internet connections for NLASrv
HTTPS to Office 365 IP ranges

Hope this helps.

Create a firewall policy that only allows HTTPS to go to the relevant Office 365 ranges.
danmoroAuthor Commented:
This is just for a handful of desktops inside a LAN.
Michal ZiembaIT AdministratorCommented:
If you would like to limit access to the Internet and allow Office 365 on desktops inside the LAN, then there are several solutions:
  1. If desktops PCs are on separate LAN and if you have advanced firewall on-site, you can build firewall rules based on the article I mentioned above.
  2. If you want to limit access to Office 365 for the whole LAN and if and if you have advanced firewall on-site, the same as point 1.
  3. If you want to limit the access to Office 365 on selected PCs (i.e. based on AD Group membership), the Group Policy and firewall rules are the solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.