This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Block MAPI over HTTP over the Internet ONLY

Question
0

Sign in to vote

Hi,

I've been doing some digging around to find a suitable solution. We run Exchange 2013 CU 23. We are trying to control the Outlook access outside our network. Now I know about blocking MAPI over RPC (OutlookAnywhere) by disabling the MAPIBlockOutlookRpcHttp. I've attempted to do that which it does prevent RPC connections, but even outside the network, using MAPI over HTTP i can see in the status that Outlook does connect using MAPI over HTTP.

I know that there is the option of MAPIBlockOutlookExternalConnectivity, however, the article regarding this option states that if you have the same Internal Namespace as the External Namespace, it won't work. So i'm thinking the solution might involve changing our external namespace. I'd rather not go that route, but if we have we will. Is there something I'm missing with trying to limit External access via Outlook?

JB

Friday, August 2, 2019 4:44 PM

All replies

0

Sign in to vote

Hi JBerg712,

MAPIBlockOutlookRpcHttp is the most suitable action to block external access from Outlook.

Could you tell us about why do you want to do that?

If you want to prevent use accessing their mailbox from external of your organization, you also need to block OWA for them. In this scenario, you can remove "mail.yourdomain.com" record from public DNS provide, in this way, all request will cannot be resolved.

If you just want to block Outlook for users but remain OWA for them, you may need to do some configuration on your firewall to block this autodiscover request or use different URL and internal and external client.

Regards,

Kyle Xu

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

Monday, August 5, 2019 5:44 AM
0

Sign in to vote

We're not wanting to remove access for ALL users. We will have a select few that we do need to have Outlook access outside the organization.

Now the MAPIBlockOutlookRpc is only for Outlook Anywhere. We've enabled MAPI over HTTP. The behavior we're seeing is that the clients connect via MAPI over HTTP externally and not through OutlookAnywhere.

Now, i've been researching and playing with the option MAPIBlockExternalConnectivity. This article explains the parameter. https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-casmailbox?view=exchange-ps

We've altered the Internal and External URLs and updated our certificate with a new external namespace. I'm a bit confused on the part in the article that says the Autodiscover URL must differ in external and internal in order for this parameter to be effective.

From Article:Note: If your organization uses the same Autodiscover URL values for internal and external clients, setting this parameter to $true won't block access for external clients.

What would internal and external URLs for Autodiscover look like since Outlook is predefined to do certain look ups?

JB

Monday, August 5, 2019 3:35 PM
0

Sign in to vote

So here's something I found out about using the MAPIBlockExternalConnectivity parameter. It does work. I can see that it does strip the external URL links like it should. Outlook actually attempts to use the Internal links to connect which is no longer in public DNS. However, I did find out that if I can trick the system by adding an entry to my systems local HOSTs file for the internal link and Outlook will connect.

We do have MAPIoverRPC blocked as well to prevent Outlook anywhere, however, with this turned off, we successfully see MAPI over HTTP connections with Outlook happening.

So is there any solution to blocking external access for some mailboxes? I know we could just turn it off completely, but there are users who do need it. Any other suggestions/solutions?
JB

Wednesday, August 7, 2019 9:19 PM
0

Sign in to vote
Hi,

Based on my testing, If you want to block external access to Outlook for specific user, you could use this command below. It will only block access for specific user, it will not effect other users:

Set-CASMailbox user@domain.com -MAPIBlockOutlookExternalConnectivity $true

In this way, user could use outlook at internal of your domain, they will cannot use Outlook from external of your domain.

>>If your organization uses the same Autodiscover URL values for internal and external clients, setting this parameter to $true won't block access for external clients.

The meaning of this sentence is that you should use different URL for all service's internal and external URL(Because when you change URL for Autodiscover, it will effect all other services).

Please note: don't use "MAPIBlockOutlookRpc" it will block both internal and external access.

Regards,

Kyle Xu

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
- Proposed as answer by Kyle.XuMicrosoft contingent staff Thursday, August 8, 2019 8:27 AM
Thursday, August 8, 2019 2:02 AM
0

Sign in to vote

Hi,

I am writing here to confirm with you how thing going now?

If the above suggestion helps, please be free to mark it as an answer for helping more people.

Regards,

Kyle Xu

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

Friday, August 16, 2019 10:39 AM
0

Sign in to vote

Hello,

Same scenario here. Do we have a solution on this issue?

Wednesday, July 15, 2020 8:35 PM