Split OWA and ActiveSync for External Users

[1John1]

This is in response to "Any way to stop external OWA access but allow active sync?" (tek-tips.com/viewthread.cfm?qid=1526111&page=20" target="_blank">

http://www.tek-tips.com/viewthread.cfm?qid=1526111&page=20)

which was closed.

I saw several postings online on how to allow internal OWA access, but disallow external OWA access while still allowing Exchange ActiveSync to work. However, I didn't find any good answers, but I did get it to work in our environment so I thought I'd post the steps in case they might be useful for someone else in the future.

This was configured in Exchange 2007. I added a second IP address to the Exchange server. I then set the default bindings in IIS to the main server IP address - this is the site with OWA, etc. I then created a second website in IIS and set the binding to the new IP I added. Then from the Exchange management shell I ran -- New-ActiveSyncVirtual Directory -WebSiteName "New Site Name" -- This created an ActiveSync virtual directory for this new site.

If you get an error:
"Error Message When You Use the New-ActiveSyncVirtualDirectory Cmdlet: A Failure Occurred While Trying to Enable the ISAPI Filter" then you need to:
To resolve this issue, turn on the Remote Registry service. To do this, follow these steps:

1.Click Start, click Run, type services.msc, and then click OK.
2.In the Services dialog box, double-click Remote Registry.
3.In the Remote Registry Properties (Local Computer) dialog box, click Automatic in the Startup type list if this option is not already selected.
4.Click Start.
5.After the Remote Registry service has started successfully, click OK.

On our external firewall I allowed port 443 to the new IP address I created. OWA is working internally using the original IP, but it does not work externally because the virtual directory for OWA doesn't exist on this site. However, OWA still works through the Cisco SSL WebVPN we have configured because that is set to use the internal IP.

I don't know if anyone will find this useful, but just in case..


Best,
John


thread1582-1526111

 

[theravager]

Activesync and owa are enabled/disabled separately per mailbox so you have that level of control to start with.


Assuming you are using ISA you just create bind each type of access rule to a AD group so you can just select the users per service that are allowed external access. You pretty much have outlook anywhere, owa and activesync that can be allowed per user per function.

If you aren't using ISA or something that has similar functionality you have a security disaster waiting to happen.

 

[1John1]

Thanks for the reply and insight.

We don't have ISA, but we do have a Cisco ASA. On the Cisco ASA we have a WebVPN that lets us do group based authentication against AD, so we can control external access to OWA via AD group membership through the ASA. However, the ASA doesn't support ActiveSync so we had to come up with a work around. The workaround was to allow 443/SSL to the ActiveSync only IIS site via a dedicated IP address.

In your opinion does this create a potential security issue? We only have ActiveSync enabled on specific mailboxes, not all mailboxes. Would there be a benefit to sticking ISA in-between the existing Cisco firewall and the ActiveSync server? It seems like we would just be pushing port 443 through 2 firewalls and I didn't know if that was really the way to go or not..


Best,
John

 

[theravager]

As to the security risk, you are going to get all sorts of different answers.

I don't know much about ASA but I suspect as long as you can limit the path name its probibly ok as it will drop stuff that's calling different urls, some of which I believe are there regardless of another website.

Off memory its something like /microsoft-server-activesync.

Isa in this instance isn't really functioning as a firewall but a reverse proxy with authentication, which is generally the function you see it used as in conjunction with another brands firewall.

Comes down to I guess how much ISA is vs security risk and only someone with expert level knowledge could comment. Tom shinders ISA forums would be a good place to ask to get a subject matter expect opinion but be warned hes a ISA is the be all and end all product

The one thing that I found when I implemented all the 2007 features here was Outlook Anywhere which was added as a may as well configure seeing it takes 15 minutes ended up being majorly in demand with senior execs once a couple trialed it. That feature I definitely wouldn't intergrate without using something like ISA. If this feature could be used in your organisation its definately worth the ISA purchase.