Tuesday, September 17, 2013

How to Block OWA 2010 and 2013 for External Users

Some customers may want to only publish Outlook Web App for internal users.  The following configuration will allow OWA and Exchange Control Panel (ECP) access for internal users on the corporate network, but block external access from the Internet.  Users who connect to the corporate VPN (for example, DirectAccess, AnyConnect, or most any other VPN) from the Internet will also have access.

Blocking OWA externally does not affect ActiveSync or EWS clients. External Outlook Anywhere clients may be unable to manage their voicemail settings if they use Exchange Unified Messaging, since this relies on OWA.

These settings work for both Exchange 2010 and Exchange 2013.  Let's get started.

  • Provide the CAS with an additional private IP address.  You can either add this additional IP to the existing NIC or add another NIC to the server.  If you chose to add another NIC, configure the IP address and subnet, but do not configure a default gateway.  In this example, I will just add another IP address [192.168.1.31] to the existing NIC [192.168.1.30].

  • If you have a load balanced set of CAS servers, you will need to create a new VIP on the load balancer to load balance the new CAS IP addresses.  Do not publish this VIP or IP address to your reverse proxy solution (TMG/ISA) or NAT it to a public IP address.
  • Create a new A record in your internal DNS, for example owa.contoso.com, that points to the new VIP or IP address on your single CAS server.  You should be able to ping owa.contoso.com. Do not publish this A record in your external DNS.
  • Create a new website in Internet Information Services (IIS) Manager called "Internal OWA-ECP". Enter the IP address of the VIP on the hardware load balancer or the new IP address of your single client access server.  Configure the new website's binding to use HTTPS and the correct SSL certificate, as shown in the example below:

  • Create new Exchange OWA and ECP virtual directories using the following cmdlets from the Exchange Management Shell (EMS):
New-OwaVirtualDirectory -WebSiteName "Internal OWA-ECP" -InternalUrl https://owa.contoso.com/OWA -ExternalURL $Null
New-EcpVirtualDirectory -WebSiteName "Internal OWA-ECP" -InternalUrl https://owa.contoso.com/ECP -ExternalURL $Null
    • Optionally, you can configure a default domain for the new OWA virtual directory using the Exchange Admin Console (EAC) or using the following cmdlet in EMS:
    • Set-OwaVirtualDirectory "owa (Internal*" -DefaultDomain contoso.com
    • Test the new configuration from an internal client.  You should be able to access OWA using the URL https://owa.contoso.com./owa, and ECP using the URL https://owa.contoso.com/ecp.
    • Now delete both the OWA and ECP virtual directories from the Default Web Site using the following cmdlets from EMS:
    Remove-OwaVirtualDirectory "servername\owa (Default Web Site)" -confirm:$false
    Remove-EcpVirtualDirectory "servername\ecp (Default Web Site)" -confirm:$false
    • At this point internal users can access OWA and ECP, but external users cannot. External users will get a 404 - Page cannot be found error when trying to access OWA from the Internet using either https://mail.contoso.com/owa or https://owa.contoso.com/owa.
    • You may also want to create a custom error page for your external users instead of a non-friendly "404 - File or directory not found." error message when trying to access OWA.
      • Create a custom web page called NoExternalOWA.htm with the error detail you want and copy this file to the %systemdrive%\inetpub\wwwroot folder.  An example might say, "Outlook Web App is only available for internal clients. Please connect using VPN or connect to the local network."
      • In IIS Manager, select the Default Web Site and double-click Error Pages.
      • Double-click the 404 error and configure it to Respond with a 302 redirect to https://,<your CAS FQDN>/NoExternalOWA.htm.

    It's important to note that OWA and ECP are tightly integrated. You won't be able to logon to ECP without publishing OWA in the same website. If you remove only the ECP virtual directory from the Default Web Site OWA users will not be able to access their mailbox options, such as out of office settings from the Internet. I mention this because some organizations may want to try to block ECP from the Internet to prevent access to the Exchange Admin Console (which uses ECP).

    11:13 AM