Restrict external access to OWA

  • Thread starter Magno Alberto de Almeida
  • Start date Views 4,887
Status
Not open for further replies.
M

Magno Alberto de Almeida

Hi!!!

I'm trying to create a second instance of OWA (Exchange 2010/Win2008) to allow external access for only 6 users.

I create a second website (IIS7) using another port (https/44321).

I create a second OWA using the cmdlet New-OwaVirtualDirectory and specified the name of that new site.

In IIS, on the settings of that new site, I removed the permission " all users" in " Authorization rules" and adding an Global Securiry Group (this group have users who can access from Internet).

Disable " Anonymous" and enable " Basic" in " Authentication" feature.

If I access through address https://exchange.enterprise.com:44321, this works, I was able to allow access to those users, but if after I insert /OWA, any domain user can access. =(

I tried find some solution in various documents but still I am stuck in this point.

Thanks!
 
F

Fazal Muhammad Khan_

Thank You For your Post here

Just for the Sake of Curiosity. If you could tell why do you Want to Restrict Users so they should not access email Externally.

Lets Come to the issue

Open the New IIS Virtual Directory on Your Exchnage machine

The Problem is you Have Applied the permission on the root Of the Directory but it is not inheriting on the SubDirectories

Open the Virtual Directory and Click on Expand so that you can see the Subdirectories as well.

Right Click on " OWA" Virtual Directory Click permissions and Remove Authenticated Users and add that Security Group.

This SHould Solve Your Issue

Regards

Fazal M khan
 
W

WJolley

Could you not just disable OWA in the user Properties under Mailbox features?
 
J

Joseph M Durnal

It could be that OWA is needed on the inside for all users.

If using ISA/TMG, you can configure the publishing rule to only authenticate the users you want.

Joseph Duranl
 
F

Fazal Muhammad Khan_

it could be that OWA is needed on the inside for all users. (Why would you not want anyone to check your emails from home :) . Nothing would be more beneficial for a company that a usr is accessing his emails and working when he is even at home)

If using ISA/TMG, you can configure the publishing rule to only authenticate the users you want (Agree with you here)

Regards

Fazal M Khan
 
M

Magno Alberto de Almeida

Thanks for suggestions...

I also would like to know why restrict external access to some users ... The only thing I know is the so-called company policy ... =(

Please, correct me if I'm wrong, but in Exchange 2003 I remember that it was possible to restrict the external access, creating a second OWA, because this second OWA was a separate instance, right?

About ISA/TMG.. no way (yet)... It was very difficult to adopt the budget to purchase CALs and license of Exchange...

And if ...(for assumption) ... I created a second website, setting another Public IP, this second WEBSITE does not create second OWA, but had a WEB.CONFIG that would authorize or not that user, and if approved, would be directed to the/OWA from the DEFAULT WEB SITE. But if this right, how could prevent someone typing anyway /OWA after original address?

Thanks!
 
F

Fazal Muhammad Khan_

Thank You for your Reply.

let me Clearify What you have to do

You Would Run the powershell Cmdlet To Create a new virtual Directory for Owa.

On that Virtual Directory You Would Create it for External users.

Add Host Header in IIS So that your Virtual Directory You Created would be Resolved by external.xyz.com and Assign that Public Ip which is on the CAS to that External Virtual Directory.(Clearing that this is not a Recommended Configuration of Publishing OWA as Your CAS role would be Open for anyone to come and Have a Crack at it :) )

Than you Would Create a Record in PUBLIC DNS of external.xyz.com -----55.0.0.1

and now go in that Virtual Directory and

Open the New IIS Virtual Directory on Your Exchnage machine

The Problem is you Have Applied the permission on the root Of the Directory but it is not inheriting on the SubDirectories

Open the Virtual Directory and Click on Expand so that you can see the Subdirectories as well.

Right Click on " OWA" Virtual Directory Click permissions and Remove Authenticated Users and add that Security Group.

This SHould Solve Your Issue

Regards

Fazal M Khan
 
M

Magno Alberto de Almeida

Hi Fazal... thanks again...

Unfortunately I had tried on a another server that I use for laboratory, and if I remove NTFS permission for that group (Authenticated Users), this impact in all instance of OWA.

I get the error in OWA:

The custom error module does not recognize this error

> ..or I am leaving to do something? I follow all your steps ... =/
 
F

Fazal Muhammad Khan_

Thank You for your post here

You need to do some testing for me now :) (In the LAB which is Sep from production)

1)Does This Issue only happens when you Remove the authenticated users from OWA directory(I hope yes)

2)Add Autheticated Users back

3)OPEN AD Create 3 users In it A,B,C --- Create Mailboxes of these Users and log in to owa and See things are all good

4)Now add these 3 users in a Group named BLOCK

5)Now Add this Group on the OWA virtual Directory and Click on Deny for all the permissions

6)Restart IIS now and Restart CAS Service

7)TRY Loggin in now From one of the users Which wre in that Group

Is it loggin now ?

I hope no :)

Regards

Fazal M khan
 
M

Magno Alberto de Almeida

Thanks again!!!

But... Unfortunately... no way... =´(

From what I see, any change in another new OWA impacts straight DEFAULT OWA, consequently cause the blockage of these users when they access the DEFAULT OWA (when they access OWA internally). Is there some setting I can perform directly in WEB.CONFIG?

Thanks for any help. Any suggestions?
 
L

Leandro Cascão

Hi Magno,

i have the same problem. All users must use owa in intranet and only some holy users do it on internet. I created an new OWA folder and use NTFS permission to control the access. Here the procedure i used:
Create AD Group

ex: OWA_EXT_USR

- IN IIS
Create a new WEB SITE

- New IP

- Ports 80 / 443

- Name MAIL

- Default Path - C:\inetpub\wwwroot
Install Certificate (HTTPS) for External User
Copy the Folders:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp

to

Ex:

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp
ON IIS - ISAPI and CGI Restrictions

Give Permission ALLOW to this DLL

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\auth\owaauth.dll
On Exchange Power Shell

new-owairtualDirectory -WebSiteName " MAIL" -Path " C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa"

New-ecpVirtualDirectory -WebSiteName " MAIL" -Path " C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp"
Fix Virtual Directory Path

Exchange
Exchweb
Public

In IIS - change - The Virtual Directory Path

> ...\V14\ClientAccess\Owa

to
.....\V15\ClientAccess\Owa
In Exchange Console

- Server Configuration > Client Access > <server> > Outlook Web APP > owa (Mail) > Properties

Authentication > Use one or more standard authentication methods > Integrated / Basic

- Server Configuration > Client Access > <server> > Exchange Control Panel > ECP (Mail) > Properties

Authentication > Use one or more standard authentication methods > Integrated / Basic
Now NTFS Permission

Folder

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

SYSTEM FULL
ADM FULL
OWA_EXT_USERS READ

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\auth

SYSTEM FULL
ADM FULL FULL
OWA_EXT_USERS READ
Authenticated user READ

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\14.0.636.21

SYSTEM FULL
ADM FULL FULL
OWA_EXT_USERS READ
Authenticated user READ

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp

SYSTEM FULL
ADM FULL
OWA_EXT_USERS READ

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\14.0.636.21

SYSTEM FULL
ADM FULL FULL
OWA_EXT_USERS READ
Authenticated user READ
Reset IIS

Now you can Control the access to this OWA using the group OWA_EXT_USERS

i hope this is helpfull
 
C

Ceasarli

Gents, i am being asked the same request as stated in this thread but just in case let me post it here again.

The Request is to prevent special users from accessing email via full outlook internal and owa external, the rest of the users will be able to leverage whichever solution.

I need to create in exchange 2010 a solution that will allow me to restrict users from accessing the email account as stated above.

i believe this solution can matches my issue can anyone elaborate on the findings.

thanks

cesar
 
F

Fazal Muhammad Khan_

Do you have ISA/TMG ? If yes you can restrict users through it. Fazal Muhammad Khan | MCT, MCSE, MCSA, MCTS | Infrastructure Consultant, Technology Services | CDC Pakistan Ltd. | https://fazalmkhan.spaces.live.com | OFFICE: +92 21 111 111 500 Ext: 1402 | +5 GMT
 
R

RPK2000

Theoretically speaking could one take some of these steps and accomplish the goal with Exchange 2007?
 
Status
Not open for further replies.
Top