locked
Disable OWA for External Site RRS feed

  • Question

  • Dear Expert,

    I just implemented Exchange Server 2013, I have the request from management team. They already used OWA and Mobile on Internal, but they would like to disable OWA and enable mobile when user stay outside the office.

    Please advice

    Friday, April 25, 2014 12:20 PM

Answers

  • Hi,

    Do you mean you want to know how you can block or disable external OWA for exchange users without affecting internal OWA and external ActiveSync for them?

    If it is, here are the steps you can use to block all users to access OWA externally.

    1. Create a new website only for ActiveSync service. Ex: (New-WebSite -Name TestSite -Port 80 -HostHeader TestSite -PhysicalPath "$env:systemdrive\inetpub\testsite").

    2. Assign new IP address to that website.

    3. Create ActiveSync virtual directory in the new website Ex: (New-ActiveSyncVirtualDirectory -WebSiteName "TestSite" -ExternalURL http://www.contoso.com/mail -InternalURL http://contoso/mail).

    4. Assign certificate to the new website.

    5. Don’t create OWA and ECP virtual directory in the new website.

    6. On the firewall NAT the public IP address to internal IP address assigned to new website.

    7. Use Default Website for internal outlook web access(Without External URL settings and no public IP address for the default site).

    Alternatively, we can keep the default web site for external access of ActiveSync and external OWA disabled. Then create a new Web Site for Internal OWA-ECP using. For more details about this method, please refer to:

    http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Thanks,


    Winnie Liang
    TechNet Community Support

    • Marked as answer by MasterBirdMVP Monday, April 28, 2014 7:47 AM
    Monday, April 28, 2014 2:32 AM

All replies

  • If i am not wrong your requirement is not to allow users to access OWA from public internet if so then simply disable your OWA publishing rule.

    OWA has 2 different URLs

    1. Internal URL 

    2. External URL and we do publishing based on External URL.. You can disable the publishing of OWA on TMG (if using) and then user's won't be able to access OWA from public internet. 

    Your second requirement is using mobile when users are on internet (out of office). For that purpose you need to configure ActiveSync policies on TMG / proxy server.

    Hope this answers your question. kindly mark this as answer if your question is being answered. Thanks.


    Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

    Friday, April 25, 2014 6:34 PM
  • Thank you can you provide technet for 2 requirements.
    Sunday, April 27, 2014 4:43 AM
  • Hi,

    Do you mean you want to know how you can block or disable external OWA for exchange users without affecting internal OWA and external ActiveSync for them?

    If it is, here are the steps you can use to block all users to access OWA externally.

    1. Create a new website only for ActiveSync service. Ex: (New-WebSite -Name TestSite -Port 80 -HostHeader TestSite -PhysicalPath "$env:systemdrive\inetpub\testsite").

    2. Assign new IP address to that website.

    3. Create ActiveSync virtual directory in the new website Ex: (New-ActiveSyncVirtualDirectory -WebSiteName "TestSite" -ExternalURL http://www.contoso.com/mail -InternalURL http://contoso/mail).

    4. Assign certificate to the new website.

    5. Don’t create OWA and ECP virtual directory in the new website.

    6. On the firewall NAT the public IP address to internal IP address assigned to new website.

    7. Use Default Website for internal outlook web access(Without External URL settings and no public IP address for the default site).

    Alternatively, we can keep the default web site for external access of ActiveSync and external OWA disabled. Then create a new Web Site for Internal OWA-ECP using. For more details about this method, please refer to:

    http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Thanks,


    Winnie Liang
    TechNet Community Support

    • Marked as answer by MasterBirdMVP Monday, April 28, 2014 7:47 AM
    Monday, April 28, 2014 2:32 AM
  • Thank you
    Monday, April 28, 2014 7:47 AM
  • Hello,

    do someone know if this (move the ActiveSync VirtualFolder) implementation produce some problems while updating the exchange server? As described in a comment of the given link http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html you have to reset your changes before you can update the exchange if you have moved the owa/ecp virtual directory to another website. Is it here the same?


    Tuesday, July 22, 2014 7:54 AM
  • Thanks for the detailed reply, I think this will take care of my requirement, which was from a TRACE security audit that recommended we turn off OWA; I guess there was a security hole by allowing OWA
    Monday, June 19, 2017 1:50 PM