• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Provisioning OWA (internal access vs. external access)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access >> Provisioning OWA (internal access vs. external access) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Provisioning OWA (internal access vs. external access) - 18.Jul.2006 10:00:55 PM   
robynk

 

Posts: 4
Joined: 18.Jul.2006
Status: offline
I am working on an Inter-Org migration from Exchange 5.5 to Exchange 2003 SP2.  This will entail consolidating 3 different companies to one Exchange server.  One of the companies wants their users to only be able to access OWA internally (when VPN'd in).  It appears with Exchange 2000 you would provision certain users to be able to use OWA from the Internet, but it does not appear that this can be done with Exchange 2003 SP2 because the Web Dav address check is not present.   I know we can disable the http protocol, but that will restrict OWA completely.

I want to be able to allow some people to access OWA from the internal network and from the Internet, but for some people allow access only from the internal network.   I thought I could create a different URL for internal users (just add the URL to the internal DNS, so it is not resolvable externally).  But as long as they know the main Url they can still access from the Internet.

I think there is a way to set up provisioning on the ISA server (the Exchange server sits behind an ISA server), but I am not familair with ISA rules or configuration.  Has anyone done this before?  Any other suggestions?

Thanks
-Robyn
Post #: 1
RE: Provisioning OWA (internal access vs. external access) - 18.Jul.2006 10:14:24 PM   
de.blackman

 

Posts: 3502
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Maybe this will help

How to manage Outlook Web Access features in Exchange Server 2003
http://support.microsoft.com/kb/830827/

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to robynk)
Post #: 2
RE: Provisioning OWA (internal access vs. external access) - 18.Jul.2006 10:40:57 PM   
robynk

 

Posts: 4
Joined: 18.Jul.2006
Status: offline
Thanks for the quick reply.  I had saw that article.  It is a little confusing, but if you read it closely it indicates that the steps do not apply if using Exchange 2003 SP1 (I assume this would apply to SP2 as well).  The Web DAV address check is not present in Exchange 2003 SP1 or later.

Any other suggestions?

Thanks.

-Robyn

(in reply to de.blackman)
Post #: 3
RE: Provisioning OWA (internal access vs. external access) - 19.Jul.2006 3:42:25 PM   
de.blackman

 

Posts: 3502
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
I have this implemented and works perfectly in my test environment. Besides the note actually says
quote:

If you are using Microsoft Exchange Server 2003 Service Pack 1 (SP1), the following steps do not apply. The Web DAV address check is not present in Microsoft Exchange 2003 Service Pack 1. To restrict access to Outlook Web Access if you are using Exchange Server 2003 SP1 or later, follow these steps:


_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to robynk)
Post #: 4
RE: Provisioning OWA (internal access vs. external access) - 19.Jul.2006 8:51:50 PM   
robynk

 

Posts: 4
Joined: 18.Jul.2006
Status: offline
What version of Exchange do you have in the lab?  It looks like the only option with Exchange 2003 (SP1 or greater) is to enable or disable OWA completely (by disabling or enabling the http protocol).  But how do you restrict access from the Internet for just a subset of users?

(in reply to de.blackman)
Post #: 5
RE: Provisioning OWA (internal access vs. external access) - 19.Jul.2006 9:54:10 PM   
de.blackman

 

Posts: 3502
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
I am running exchange 2003 with SP2. What I did was create another recipient policy and filtered it to stamp only a small number of users that I wanted to restrict OWA access to internally.

quote:

By default, user accounts that are mailbox-enabled are also enabled for Outlook Web Access in Exchange Server 2003.

You can enable users in your corporate network to access Outlook Web Access. At the same time, you can deny access to external clients. The key to this approach is a combination of a recipient policy and a special Hypertext Transfer Protocol (HTTP) virtual server. To use this approach, follow these steps:



1.
Create a recipient policy with a Simple Mail Transfer Protocol (SMTP) domain name. Users who connect to an HTTP virtual server must have an e-mail address with the same SMTP domain as the virtual server. Creating a recipient policy is an efficient way to apply the same SMTP domain to multiple users.

Note Outlook Web Access users do not have to know the name of the SMTP domain.


2.
Apply the recipient policy to the user accounts that you want to enable access for.

3.
On the front-end server, create a new HTTP virtual server that specifies the domain that is used in the recipient policy.
After you have completed these steps, users whose e-mail addresses do not have the same SMTP domain as the HTTP virtual server cannot log on and access Outlook Web Access. Also, as long as you do not use the SMTP domain as the default domain, external users cannot determine what the SMTP domain is because the domain does not appear in the From field when users send e-mail messages outside the organization


this is from the KB article.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to robynk)
Post #: 6
RE: Provisioning OWA (internal access vs. external access) - 20.Jul.2006 4:56:19 PM   
trouthunter

 

Posts: 1
Joined: 20.Jul.2006
Status: offline
Sorry Blackman,

That's not exactly going to cut it.

quote:


In Exchange Server 2003 Service Pack 1, you are no longer required to create additional virtual servers and virtual directories for different SMTP domains. However, there may be other logistical or aesthetic reasons for using multiple virtual directories and virtual servers.In Exchange Server 2003 Service Pack 1, you are no longer required to create additional virtual servers and virtual directories for different SMTP domains. However, there may be other logistical or aesthetic reasons for using multiple virtual directories and virtual servers.
Implicit Logon
If the front-end server is configured to authenticate users, users can access their mailboxes by omitting the username from the request, and pointing their browser to their mailbox virtual directory. The usual URL is https://<server>/exchange/. After authenticating the user, the authentication information is used to look up the mailbox associated with the user in Active Directory and the back-end server on which the mailbox is located. The URL is updated with the user name and sent to the correct back-end server. This is known as implicit logon. Implicit logon is useful only for logging on to Outlook Web Access; specialized HTTP clients generally do not use implicit logon.
Exchange 2000 Server SP3 and Exchange Server 2003
Implicit logon makes use of the SMTP domain specified on the HTTP virtual directory to identify the user. Therefore, users connecting to that virtual server must have an e-mail address in their list of SMTP proxy addresses on their object in Active Directory with the same domain.
Exchange Server 2003 SP1
Implicit logon no longer relies exclusively on the SMTP domain specified. All the user information can be gleaned from their logon. Users can use any mailbox Exchange virtual directory to access their e-mail messages.
Explicit Logon
There are a few URLs that users can use to connect to Outlook Web Access. The usual URL is https://<server>/exchange/<username>/.Accessing Outlook Web Access using this URL is referred to as explicit logon.
Explicit logon must be used when the front-end server is not configured to authenticate users (for more information about authentication, see Authentication Mechanisms for HTTP) or when a user is attempting to access a mailbox that is not their own but to which they have access, for example, in the case of delegate users.
Exchange 2000 Server SP3 and Exchange Server 2003
When the front-end server receives an explicit logon request from a client, the user name is extracted from the URL and combined with the SMTP domain name associated with the virtual directory or virtual server to construct a fully qualified SMTP address. The front-end server looks up this address in Active Directory and determines which back-end server has the mailbox associated with the address. The front-end server then forwards the request to that back-end server, which processes the request and returns it back through the front-end server to the client.
Exchange Server 2003 SP1
The user can choose to override the SMTP domain configured on the mailbox virtual directory, by specifying the SMTP address in the URL itself. For example; https://<server>/exchange/username@domain.com. If no SMTP domain is specified, the SMTP domain from the virtual directory will be used.
You can prevent specific users from accessing Outlook Web Access by disallowing the HTTP protocol for those users. To change a user's protocol settings, in Active Directory Users and Computers, use the Exchange Advanced tab in a user's properties.


This is quoted from the Front-End/Back-End architecture guide.

The KB article you quote states that for SP1 and later, to disable OWA in the protocols allowed for the user.  This is also not going to achieve the effect that RobynK is looking for.

My suggestion is to push the access control to OWA to the perimeter network, after all it's network access that you are looking at restricting.  If ISA is used, you can potentially place Access control on rules used to allow people into OWA.  isaserver.org or microsoft.com/isaserver may have details on how to configure this.  Beware that this can affect other services using the ISA server.

if you have a dedicated front end server for external access, you could investigate using NTFS permissions to control access to the OWA files (images,scripts, etc) which will render OWA useless for people who attempt to access it via the outside.

(in reply to de.blackman)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access >> Provisioning OWA (internal access vs. external access) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter