none
Limit external users access to OWA

    Question

  • Hi All

    I am working on Publishing OWA, can I detemine limit the users who can access OWA from internet, and that without effrcting the internal netwrok access?
    I am using Front End Exchange Server,


    Thanks.
    Saturday, January 09, 2010 6:50 PM

Answers

  • In my case all external users requests are forwarded to the front end exchange Server through a firewall, and then the FE Exchange Server forwards the requests to the BE Exchange Server through the ISA Server.

    My ISA Server only contains one rule that allow all from the FE to the BE, so it recognizes no users. Users don't authenticate by the ISA Server so I'm not sure that I can control them by ISA rules.


    One solution could be to reconsider your design. With Exchange 2000 / 2003, your current design at one point was recommended by Microsoft. I was myself involved making this work through Cisco Secure PIX firewalls. I think this is a lot easier to accomplish with ISA than PIX. Neither the Cisco nor the Exchange team found the end-effect to be particular secure.

    Later Microsoft changed its recommendations: Move front-end servers into the internal network and ISA out to the DMZ. (With Exchange 2007 / 2010, front-end servers in the DMZ is no longer supported.) That's what we do: A small ISA Server 2006 array is inside the DMZ with the outside NICs. The inside NICs are part of the internal network. And ISA is part of the domain.

    Hardware-based firewalls on the edge take care of basic packet-filtering with ASICs, which they can do a lot faster than ISA. ISA then takes care of the application layer protection (OSI level 7, DoD level 4).  ISA is configured to do pre-authentication by querying the Active Directory, do packet inspection and forward the traffic to the Exchange front-end servers (now this is Exchange 2007: CAS servers) 

    Internet clients go through ISA, inside clients talk directly to the CAS NLB. In addition we use a split DNS: webmail.mydomain.com refers to a public address that directs the traffic through ISA, and a private address that refers to the CAS NLB.

    With this configuration you should be able to "limit the users who can access OWA from Internet, and that without effecting the internal network access," your initial requirement. In addition you are well prepared to make the move to Exchange 2007 / 2010.

    Take a look at these two articles:
    Don't put CAS in the Perimeter network!
    http://msexchangeteam.com/archive/2009/10/21/452929.aspx

    ISA 2006 SP1 Configuration with Exchange 2010
    http://msexchangeteam.com/archive/2009/12/17/453625.aspx


    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    • Marked as answer by Alaaay Wednesday, January 13, 2010 9:12 AM
    Tuesday, January 12, 2010 1:25 PM

All replies

  • Do you mean:

    1 - Allow some users, but not others, to use or access OWA?

    or

    2 - Limit simultaneous connections from the Internet?

    1 is possible but it would apply both internally and externally.

    It looks like you might want to allow user A to access his mail via OWA from inside the company network but not from outside.

    I don't believe that is possible.
    Sunday, January 10, 2010 6:30 PM
  • In order to mange OWA on Exchange 2003 Front-End servers, you should use this tool:
    Microsoft Outlook Web Access 2003 Web-based Administration
    http://www.msexchange.org/tutorials/Outlook-Web-Access-Web-based-Administration.html

    Microsoft Exchange Server Outlook Web Access Web Administration
    http://www.microsoft.com/downloads/details.aspx?familyid=4BBE7065-A04E-43CA-8220-859212411E10&displaylang=en

    With ISA Server 2006 you can restrict users from the Internet. When you create an OWA publishing rule, by default the rule applies to All users. You can however, qualify the user sets that will have access to this rule. (Publishing rules with Exchange 2003 and 2007 are not very different.) See # 22

    22. On the User Sets page, the default setting is All Authenticated Users. This allows all users you successfully authenticate with the ISA Firewall to have their connection requests forwarded to the Exchange Server. You also have the option to limit access to certain groups, so that even if a user can successfully authenticate, the user must be part of a specific group in order to be authorized to access the Exchange Server. Later in this paper we’ll explore how to limit access to certain groups.
    In this example we’ll accept the default settings and click Next.

    ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 3 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
    http://www.redline-software.com/eng/support/articles/isaserver/publishing/isa-firewall-publishing-owa-rpc-http-single-ip-address-part3.php

    Publishing Exchange Server 2007 with ISA Server 2006
    http://technet.microsoft.com/en-us/library/bb794751.aspx#rule

    See also Internal vs External access to OWA
    http://social.technet.microsoft.com/forums/en-US/exchangesvrclients/thread/a2d74d1f-39c2-4c35-acfb-81c7d921b587/


    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    Sunday, January 10, 2010 9:42 PM
  • Thank you for your very valuable reply.

    I was comparing the article in the "Redline-software" website and I m not sure if it's compatible with my case.

    In my case all external users requests are forwarded to the front end exchange Server through a firewall, and then the FE Excahgne Server forwards the requests to the BE Exchange Server through the ISA Server.

    My ISA Server only contains one rule that allow all from the FE to the BE, so it recognizes no users. Users don't authenticate by the ISA Server so I'm not sure that I can control them by ISA rules.



      

    Monday, January 11, 2010 7:51 AM
  • Hi,

    From Exchange side, that is impossible. But for ISA, you can implement the rule to achieve it.

    Thanks

    Allen

    Tuesday, January 12, 2010 8:34 AM
  • In my case all external users requests are forwarded to the front end exchange Server through a firewall, and then the FE Exchange Server forwards the requests to the BE Exchange Server through the ISA Server.

    My ISA Server only contains one rule that allow all from the FE to the BE, so it recognizes no users. Users don't authenticate by the ISA Server so I'm not sure that I can control them by ISA rules.


    One solution could be to reconsider your design. With Exchange 2000 / 2003, your current design at one point was recommended by Microsoft. I was myself involved making this work through Cisco Secure PIX firewalls. I think this is a lot easier to accomplish with ISA than PIX. Neither the Cisco nor the Exchange team found the end-effect to be particular secure.

    Later Microsoft changed its recommendations: Move front-end servers into the internal network and ISA out to the DMZ. (With Exchange 2007 / 2010, front-end servers in the DMZ is no longer supported.) That's what we do: A small ISA Server 2006 array is inside the DMZ with the outside NICs. The inside NICs are part of the internal network. And ISA is part of the domain.

    Hardware-based firewalls on the edge take care of basic packet-filtering with ASICs, which they can do a lot faster than ISA. ISA then takes care of the application layer protection (OSI level 7, DoD level 4).  ISA is configured to do pre-authentication by querying the Active Directory, do packet inspection and forward the traffic to the Exchange front-end servers (now this is Exchange 2007: CAS servers) 

    Internet clients go through ISA, inside clients talk directly to the CAS NLB. In addition we use a split DNS: webmail.mydomain.com refers to a public address that directs the traffic through ISA, and a private address that refers to the CAS NLB.

    With this configuration you should be able to "limit the users who can access OWA from Internet, and that without effecting the internal network access," your initial requirement. In addition you are well prepared to make the move to Exchange 2007 / 2010.

    Take a look at these two articles:
    Don't put CAS in the Perimeter network!
    http://msexchangeteam.com/archive/2009/10/21/452929.aspx

    ISA 2006 SP1 Configuration with Exchange 2010
    http://msexchangeteam.com/archive/2009/12/17/453625.aspx


    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    • Marked as answer by Alaaay Wednesday, January 13, 2010 9:12 AM
    Tuesday, January 12, 2010 1:25 PM
  • I'm not sure if you have Exchange 2003 or 2007, but I wrote this for E2007:

    http://www.leederbyshire.com/Block-Or-Allow-OWA-Depending-On-Location-2007.asp
    Tuesday, January 12, 2010 1:50 PM
  • Thank you very much .... It was very important and helpfull reply.
    Wednesday, January 13, 2010 9:12 AM
  • Dears,

    we have fortigate firewall and exchange server is behind it,previously we have installed Blackberry Enterprise server  to enable blackberry smartphone to access to his mailbox via blackberry service,

    Are there another intermediate software (as Blackberry exchange server) can access to exchange to enable specific  (not all) user to access to his mailbox from internet,we do not want to enable direct access to exchange server>>

    any one have an idea??

    Many thanks

    Sunday, June 16, 2013 11:09 AM