So not sure if you have load balances in front of the CAS servers or not. If so, you can use those to do a URL block. So what we did is setup a content filter on out load balancer that looks at the URL, any URL other than .../Microsoft-server-activesync get a 404 error page, if it is coming from the firewall IP. So internal IP's still have access to OWA and ECP.
From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, September 9, 2015 2:12 PM To: '[email protected]' <[email protected]> Subject: RE: [Exchange] Restrict external OWA access We still want Active Sync and it uses 443 just like OWA. Jim's "thinking out loud" mentioned a lot of the things I've found, but the solution below seems easy to apply, easy to reverse if it doesn't work, no service/server reboots, no DNS changes, no NIC changes, no firewall changes, and no certificates. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Chenault Sent: Wednesday, September 09, 2015 12:56 PM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] Restrict external OWA access Perhaps I'm missing something... if you dont' want OWA available externally don't let the firewall route to it. Or are you trying to restrict specific users? ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: [Exchange] Restrict external OWA access Date: Wed, 9 Sep 2015 14:17:59 +0000 I've looking for a way to restrict OWA access externally. One method which intrigues me is this: http://www.leederbyshire.com/Articles/Block-Or-Allow-OWA-Depending-On-Location-2007.asp Although written for Exchange 2007 (this environment is Exchange 2010), the files exist and it seems that it would work. Other solutions involve setting up a second IP address and setting up another virtual directory. This seems to be the less complicated of any other method I've found. Would anyone care to chime in with an opinion? -Paul
