Q
Problem solve Get help with specific problems with your technologies, process and projects.

Restrict access to Outlook Web Access via Exchange System Manager

Learn how to configure Exchange System Manager (ESM) to restrict certain users from accessing Outlook Web Access (OWA), without limiting users' LAN access.

We have an Exchange server with both a private and a public IP address. We also have a group of users inside the internal network who must access their email through Outlook Web Access (OWA). Every OWA-enabled domain user can access the domain from the Internet using our public IP address or FQDN, but we would like a different configuration.

We want only certain users to access OWA from the Internet, but we don't want this restriction to prevent other...

users from accessing the internal LAN. Is this possible?

To restrict access to OWA from the Internet to a certain subset of users, you can create a second Exchange Virtual Server within the Exchange System Manager (ESM) for Exchange Server 2003. You then must apply permissions to that folder. Here are the basic steps:

 

  1. If you have an available (i.e., unused) public IP address, add a private IP address to the current TCP/IP settings of your server's network card. This address will be mapped to the public address.
  2.  

  3. Create a new DNS host entry for your system. For example, you might already have mail.yourdomain.com, but now you will add something like: mail2.yourdomain.com. Point this entry to the new public IP address (if you have one) or to the current public IP address.
  4.  

  5. Drill-down in the ESM through your server object -> Protocols -> HTTP to the Exchange Virtual Server. Right-click on the HTTP node and select "New HTTP Virtual Server."
  6.  

  7. In the properties of the new virtual server, provide a name such as "Internet Virtual Server," and click on the Advanced button to specify the new, private IP address and/or the host header (mail2.yourdomain.com) to distinguish it from the original virtual server. You'll want to edit the existing "All Unassigned" entry in there, instead of creating a new entry.
  8.  

  9. In the Settings tab, enable forms-based authentication so that users will receive the OWA logon screen.
  10.  

  11. If you're using the additional public IP address method rather than the existing IP address, configure your Internet firewall to direct inbound HTTP and/or HTTPS traffic for that IP address to your server's corresponding private IP address.
  12.  

  13. Go into IIS Manager to view the new website that corresponds to your new virtual server. Note the directory on the hard drive, and then browse to that location. It should be the same path as the original virtual server, which typically is C:Program FilesExchSrvrExchWeb.
  14.  

  15. Copy the ExchWeb directory and paste it into the ExchSrvr directory at the same level. You can call it ExchWebInternet.
  16.  

  17. Set permissions on the new ExchWebInternet directory to give users the desired level of access. For example, set Deny permissions for those users (or security groups) that should NOT be able to access OWA through the Internet.
  18.  

  19. If you are using SSL on your website, then you also should create a certificate for the new site. Be sure to specify a unique port number if you're using the same DNS name as the original site.

Once you've completed these steps, test the solution thoroughly using different user accounts.

Do you have comments on this Ask the Expert Q&A? Let us know.

Ask an Exchange Server question in our forum.

This was last published in December 2008

Dig Deeper on Microsoft Exchange Server Permissions

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close