locked
Restrict Outlook connection from VPN RRS feed

  • Question

  • VPN users who connect from home are able to configure Outlook on their local computer to connect to Exchange through VPN  tunnel.  The VPN will assign a special range of IP/subnet to local computer. Is it possible to block connection for this IPs from Exchange side? I tried using CAS IIS --IP Addres and Domain Restriction -add deny entry - then add IP there. But it doesn't work. I tested with one IP and I can still connect to Exchange through Outlook. Does anyone have advice? Thanks.
    Friday, September 15, 2017 11:13 PM

Answers

  • Thanks for your response.

    You can check if the client still use the IP address you've blocked via Netmon tool .

    As i recommended, we can use the firewall to block the VPN connections from Outlook clients.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jason.ChaoModerator Friday, September 22, 2017 9:44 AM
    • Marked as answer by AlanG2015 Monday, September 25, 2017 5:49 PM
    Tuesday, September 19, 2017 6:37 AM
    Moderator

All replies

  • VPN users who connect from home are able to configure Outlook on their local computer to connect to Exchange through VPN  tunnel.  The VPN will assign a special range of IP/subnet to local computer. Is it possible to block connection for this IPs from Exchange side? I tried using CAS IIS --IP Addres and Domain Restriction -add deny entry - then add IP there. But it doesn't work. I tested with one IP and I can still connect to Exchange through Outlook. Does anyone have advice? Thanks.

    Nope. I would work this from the VPN side and prevent access to the Exchange servers. 
    Saturday, September 16, 2017 7:48 PM
  • What version of Exchange?

    With Exchange 2013 and 2016, you could use IIS IP address restrictions to block access to the RPC and MAPI virtual directories from the VPN subnets, assuming your VPN uses a separate range of IP addresses.

    If you're asking about Exchange 2013 or 2016, please move the thread to an Exchange 2013 and 2016 forum since this forum is for Exchange 2003 and 2007.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Monday, September 18, 2017 4:47 AM
  • Hi,

    Thanks for contacting our forum.

    You can try to disable the part 1723 for VPN on your firewall.

    Refer to: https://technet.microsoft.com/en-us/library/cc747535(v=ws.10).aspx

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 18, 2017 9:06 AM
    Moderator
  • It's Exchagne 2010. I used IIS IP address restrictions to block certain IP connection to the Default IIS site. But it doesn't work.
    Monday, September 18, 2017 8:21 PM
  • Block at the virtual directory level.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, September 19, 2017 2:12 AM
  • Thanks for your response.

    You can check if the client still use the IP address you've blocked via Netmon tool .

    As i recommended, we can use the firewall to block the VPN connections from Outlook clients.

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jason.ChaoModerator Friday, September 22, 2017 9:44 AM
    • Marked as answer by AlanG2015 Monday, September 25, 2017 5:49 PM
    Tuesday, September 19, 2017 6:37 AM
    Moderator