Limit external users access to OWA

  • Thread starter Alaaay
  • Start date Views 689
A

Alaaay

Hi All

I am working on Publishing OWA, can I detemine limit the users who can access OWA from internet, and that without effrcting the internal netwrok access?
I am using Front End Exchange Server,

Thanks.
 
L

Le Pivert

Do you mean:

1 - Allow some users, but not others, to use or access OWA?

or

2 - Limit simultaneous connections from the Internet?

1 is possible but it would apply both internally and externally.

It looks like you might want to allow user A to access his mail via OWA from inside the company network but not from outside.

I don't believe that is possible.
 
J

Jon-Alfred Smith



In order to mange OWA on Exchange 2003 Front-End servers, you should use this tool:
Microsoft Outlook Web Access 2003 Web-based Administration
http://www.msexchange.org/tutorials/Outlook-Web-Access-Web-based-Administration.html

Microsoft Exchange Server Outlook Web Access Web Administration
http://www.microsoft.com/downloads/details.aspx?familyid=4BBE7065-A04E-43CA-8220-859212411E10&displaylang=en

With ISA Server 2006 you can restrict users from the Internet. When you create an OWA publishing rule, by default the rule applies to All users. You can however, qualify the user sets that will have access to this rule. (Publishing rules with Exchange 2003 and 2007 are not very different.) See # 22

22. On the User Sets page, the default setting is All Authenticated Users. This allows all users you successfully authenticate with the ISA Firewall to have their connection requests forwarded to the Exchange Server. You also have the option to limit access to certain groups, so that even if a user can successfully authenticate, the user must be part of a specific group in order to be authorized to access the Exchange Server. Later in this paper we"ll explore how to limit access to certain groups.
In this example we"ll accept the default settings and click Next.

ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 3 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
http://www.redline-software.com/eng/support/articles/isaserver/publishing/isa-firewall-publishing-owa-rpc-http-single-ip-address-part3.php

Publishing Exchange Server 2007 with ISA Server 2006

http://technet.microsoft.com/en-us/library/bb794751.aspx#rule

See also Internal vs External access to OWA
http://social.technet.microsoft.com/forums/en-US/exchangesvrclients/thread/a2d74d1f-39c2-4c35-acfb-81c7d921b587/

MCTS: Messaging | MCSE: S+M | Small Business Specialist
 
A

Alaaay



Thank you for your very valuable reply.

I was comparing the article in the "Redline-software" website and I m not sure if it's compatible with my case.

In my case all external users requests are forwarded to the front end exchange Server through a firewall, and then the FE Excahgne Server forwards the requests to the BE Exchange Server through the ISA Server.

My ISA Server only contains one rule that allow all from the FE to the BE, so it recognizes no users. Users don't authenticate by the ISA Server so I'm not sure that I can control them by ISA rules.



 
A

Allen Song



Hi,

From Exchange side, that is impossible. But for ISA, you can implement the rule to achieve it.

Thanks

Allen

 
J

Jon-Alfred Smith



In my case all external users requests are forwarded to the front end exchange Server through a firewall, and then the FE Exchange Server forwards the requests to the BE Exchange Server through the ISA Server.

My ISA Server only contains one rule that allow all from the FE to the BE, so it recognizes no users. Users don't authenticate by the ISA Server so I'm not sure that I can control them by ISA rules.



One solution could be to reconsider your design. With Exchange 2000 / 2003, your current design at one point was recommended by Microsoft. I was myself involved making this work through Cisco Secure PIX firewalls. I think this is a lot easier to accomplish with ISA than PIX. Neither the Cisco nor the Exchange team found the end-effect to be particular secure.

Later Microsoft changed its recommendations: Move front-end servers into the internal network and ISA out to the DMZ. (With Exchange 2007 / 2010, front-end servers in the DMZ is no longer supported.) That's what we do: A small ISA Server 2006 array is inside the DMZ with the outside NICs. The inside NICs are part of the internal network. And ISA is part of the domain.

Hardware-based firewalls on the edge take care of basic packet-filtering with ASICs, which they can do a lot faster than ISA. ISA then takes care of the application layer protection (OSI level 7, DoD level 4). ISA is configured to do pre-authentication by querying the Active Directory, do packet inspection and forward the traffic to the Exchange front-end servers (now this is Exchange 2007: CAS servers)

Internet clients go through ISA, inside clients talk directly to the CAS NLB. In addition we use a split DNS: webmail.mydomain.com refers to a public address that directs the traffic through ISA, and a private address that refers to the CAS NLB.

With this configuration you should be able to "limit the users who can access OWA from Internet, and that without effecting the internal network access," your initial requirement. In addition you are well prepared to make the move to Exchange 2007 / 2010.

Take a look at these two articles:
Don't put CAS in the Perimeter network!
http://msexchangeteam.com/archive/2009/10/21/452929.aspx

ISA 2006 SP1 Configuration with Exchange 2010
http://msexchangeteam.com/archive/2009/12/17/453625.aspx

MCTS: Messaging | MCSE: S+M | Small Business Specialist
 
A

Alaaay

Thank you very much .... It was very important and helpfull reply.
 
Thread starter Similar threads Forum Replies Date
U Using Outlook 4
P Using Outlook 3
T Using Outlook 1
J Using Outlook 2
S Outlook VBA and Custom Forms 3

Similar threads

Top