Any way to stop external OWA access but allow active sync?

[superfun]

I currently have OWA and Active sync enabled to the outside world.

I would like to keep Active Sync available but disable OWA to the outside world.

I would like OWA for internal use but not external.

If I block the port then Active Sync will not work.

I do not have or plan to get ISA2006.
I can not disable users from OWA since I want them to use it internally.

Is there a way in to restrict OWA to ip addresses?
How about changing the port number for OWA?

I don't know why Microsoft would not have this functionality. Allowing OWA access to be internal, external, both or none.

 

[58sniper]

Microsoft does provide that functionality. That's what ISA is for.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[superfun]

I figured someone would answer my question that way.

Exchange server should have this functionality built in.
You shouldn't need to purchase an application firewall just to close OWA to the outside world.

Anyone else have any ideas on how to close down OWA to the outside.

 

[Davetoo]

You mean you expected someone to give you the correct answer? I'm a bit confused about your response given Pat's correct reply on how to resolve your situation.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[58sniper]

Exchange has no idea where a user is when they login via OWA. It can deduct that the user is on the other side of a router, but that doesn't mean they're outside your environment.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[superfun]

58sniper,

thanks for your latest answer, this makes sense to why they would not be able to have such a feature. Thanks for pointing this out.

Do you know if the OWA portion can be set to only allowing certain IPs to connect to it. I know in IIS you can do this but does it work with OWA. I have heard conflicting reports and even a couple bad experience with turning this on and people having issues with exchange 2007.

DaveToo,
My response was the way it was because I said I was not planning on getting ISA2006 and didn't currently have it.

 

[etherbadger]

I had a similar process I wanted to do. In my case, I wanted to disable direct OWA access and make everybody use our juniper ssl-vpn box to check OWA while maintaining Exchange ActiveSync for cellphone e-mail.

This was all done on server 2003 and exchange 2007.
My exchange server has 2 internal IP addresses
My firewall forwards incoming 443 to either exchange ip or to my juniper ssl-VPN, depending on which external ip it comes in on (webmail.domain.com). All of my phones connect straight to exchange (EAS.domain.com.) My users only know the address for webmail.

IIS has two sites, "default web site" and "external"

I used the cmdlet set-ActiveSyncVirtualDirectory to create a new IIS website listening on a different internal IP address.
I also did set-OwaVirtualDirectory to create a new OWA folder on the new IIS site-

This is the part where it makes or breaks what you're trying to do since my solution allows for OWA access as well as EAS access. I'm not sure if the ActivesyncVD requires that there is also an OwaVD in the site to function. Maybe one of the Exchange Gurus here could answer this.

In IIS manager, on my default website, I altered the directory security tab to only let computers on my internal network access - a moot point since 443 goes through our juniper box anyways.
I left the other website that only had the /owa and /microsoft-server-activesync folders open to the world.

Anyways, heres some famous last words, "it should work, in theory."
Hope this helps you.

 

[etherbadger]

sorry, that cmdlet was New-ActiveSyncVirtualDirectory and New-OwaVirtualDirectory

 

[xmsre]

You shouldn't need to purchase an application firewall just to close OWA to the outside world."

And what planet are you from?

You should always have a firewall between anything publicly accessible and your internal IT assets, period.

 

[superfun]

WOW!

What a great response XMSRE, maybe you should read my post before replying.

If you would read my post I say nothing about not having a firewall.

We have a firewall and currently port 443 is open and that is why both OWA and AciveSync work to the outside world.

The issue was that we want to close OWA access but leave ActiveSync access open. With a standard firewall if you close port 443 then you close both services.

ISA2006 would allow use to do this since it is an application firewall. We are not planning on purchasing another firewall and where looking for a way to do this so other way.

Thank you everyone who helped me out on this. I appreciate all the help. I think forums should be a place to help people and get help when you need it not tear people apart because you think your Superior in the knowledge department. Remember there is always someone who knows more then you.

 

[Davetoo]

superfun - you need to chill out, dude. You did not state that you had a firewall, application or otherwise, so xmsre's statement is valid. The fact that now we know you have a firewall would indicate to us that perhaps you have the wrong one because it won't allow you to do what you're trying to do.

What firewall do you have? Have you checked with it's manufacturer to see if you can do what you're trying to do with it and you just don't know how?

And finally, if you stick around, you'll find that xmsre is at the top of his game. Making a judgment call on him at this point would be premature on your part. He has a reason or reasons as to why he says things, they may be harsh, but they may also wake you up to some things you've missed and/or are missing. Usually those offended by anyone's comments are looking to be offended.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[xmsre]

Now that you've established that you do have a firewall (which you did not previously state; the first mention of a firewall in this thread is the comment by etherbadger) and you're not from a planet that lacks security threats (You don't state that either, but in you have now established that you do have a firewall I think I can safely assume the the planet you live on has security threats),

Can your firewall block requests to a specific url? If your outside address is 123.4.5.6 and internal is 10.1.1.3, are you redirecting any old SSL request to 10.1.1.3 or can you specify the URLs of the requests that get forwarded/dropped?

Exchange 2007 EAS still uses the virual directory called Microsoft-Server-ActiveSync in IIS as the connection point for mobile devices. You would want to prevent requests originating on the outside to that virtual directory from hitting the CAS at the firewall.

 

[superfun]

xmsre,

Yes the planet I live on has many security threats.

I don't think my firewall is capable of blocking based on URLs but I will look into this. This would be a very slick fix.

Thanks for your time, I do appreciate it!

SuperFun