locked
Exchange 2016 Manage authentification with certificate RRS feed

  • Question

  • Hello,

    We are currently setting up a Exchange 2016 server.

    We would like to manage access to the server (Blacklist / Whitelist) to all our devices. For all that is mobile it is simple we will use ACTIVESYNC. The problem is with desktops and laptops. We thought using a share management certificate

    (A user needs to have a certificate on his computer to access the exchange server without valid certificate it is impossible for him to open his client Microsoft Outlook)

    But our consultant to the record seems to say that it is impossible. Is it possible ? If no exist there are other solutions to limit access to the Exchange to the computer and portable?

    Thank you!
    Monday, July 17, 2017 3:08 PM

All replies

  • Hello,

    We are currently setting up a Exchange 2016 server.

    We would like to manage access to the server (Blacklist / Whitelist) to all our devices. For all that is mobile it is simple we will use ACTIVESYNC. The problem is with desktops and laptops. We thought using a share management certificate

    (A user needs to have a certificate on his computer to access the exchange server without valid certificate it is impossible for him to open his client Microsoft Outlook)

    But our consultant to the record seems to say that it is impossible. Is it possible ? If no exist there are other solutions to limit access to the Exchange to the computer and portable?

    Thank you!

    Phenix1128,

    Your consultant would be correct; however, you may be able to restrict access to Exchange using firewall configurations. I you require all clients to use DirectAccess or VPN to connect in remotely you can only allow IPs on your local network to be able to communicate with the Exchange servers via MAPI over HTTPS or RPC. You should talk to your consultant about this.

    Very Respectfully,
    Dana Garcia - MCP (Designing and Deploying Microsoft Exchange Server 2016)

    Monday, July 17, 2017 5:50 PM
  • Hi.

    Scenario 1.

    For laptop and desktop if domain members, you can use GPO for automatically deploy and enroll certificate from CA.

    For this scenario, you mast be have PKI Services with Root server+ Sub Server + CRL Public Server and disk drive for laptop must be encrypted with bit locker. 

    Scenario 2.

    You can use 3rd application for Multi-Factor Authentication.

     Can Exchange Web Services be Accessed by Bypassing Multi-Factor Authentication?

    Maybe you can use microsoft-intune

    PS I'm not use DirectAccess channel  for OWA/Outlook and Lync/S4B. More performance use to connection to Exchange directly when public on FW. 


    MCITP, MCSE. Regards, Oleg

    Monday, July 17, 2017 7:44 PM
  • Hi,

    Unlike Allow/Block/Quarantine list for Exchange ActiveSync device, there's no similar feature for Outlook client. However, we can use Set-CASMailbox to disable relevant feature for user mailbox, for example: MAPIBlockOutlookRpcHttp, MapiHttpEnabled, MAPIEnabled.

    More details, for your reference:
    https://technet.microsoft.com/en-us/library/bb125264(v=exchg.160).aspx

    Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, July 24, 2017 2:49 PM
    Tuesday, July 18, 2017 9:57 AM