Restrict access to Outlook Web Access via Exchange System Manager

We want only certain users to access OWA from the Internet, but we don't want this restriction to prevent other users from accessing the internal LAN. Is this possible?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Exchange Server Permissions Exchange users receiving email addressed to legacy users Why you should secure Exchange 2007 using administrative policies Editing Exchange Server public folder permissions Can't delete old Microsoft Outlook public folders Why can't I grant users permissions to an Exchange public folder? Exchange public folder calendar can't be opened in Microsoft Outlook Grant or deny permissions to access a user's Exchange 2007 mailbox Set Outlook calendar permissions for group to view private meetings Exchange Admin 101: Exchange 2003 and Exchange 2007 admin privileges Selectively set email permissions for Exchange groups Microsoft Exchange Server User Settings Email issues after configuring hosted Exchange server on laptop Control Outlook 2007 in cached mode settings with group policies Group policy settings for Outlook 2007 in cached mode How to custom-configure a Microsoft Outlook 2007 install using OCT Expand Microsoft Outlook email rules with the Auto-Mate add-on tool Exchange 2007 out-of-office (OOF) feature adds usability and security Managing Microsoft Outlook search folder functionality Back up and restore Microsoft Outlook settings Managing Microsoft Outlook's AutoComplete option Can an admin create out-of-office messages from ESM or AD? Outlook Web Access OWA 2007 configuration tricks to boost performance Top 5 Exchange ActiveSync tips Lock down direct file access and protect OWA users Simplify an OWA URL on Windows Server 2008 Windows Mobile 6.5 touts Internet Explorer, OWA improvements When OWA's default configurations aren't good enough Digging deeper into Exchange Server 2010 Troubleshoot 'System Attendant' error messages in OWA Troubleshoot Microsoft Outlook Web Access problems Detecting update rollup and patch failures in OWA

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary privilege  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

To restrict access to OWA from the Internet to a certain subset of users, you can create a second Exchange Virtual Server within the Exchange System Manager (ESM) for Exchange Server 2003. You then must apply permissions to that folder. Here are the basic steps:

1. If you have an available (i.e., unused) public IP address, add a private IP address to the current TCP/IP settings of your server's network card. This address will be mapped to the public address.
2. Create a new DNS host entry for your system. For example, you might already have mail.yourdomain.com, but now you will add something like: mail2.yourdomain.com. Point this entry to the new public IP address (if you have one) or to the current public IP address.
3. Drill-down in the ESM through your server object -> Protocols -> HTTP to the Exchange Virtual Server. Right-click on the HTTP node and select "New HTTP Virtual Server."
4. In the properties of the new virtual server, provide a name such as "Internet Virtual Server," and click on the Advanced button to specify the new, private IP address and/or the host header (mail2.yourdomain.com) to distinguish it from the original virtual server. You'll want to edit the existing "All Unassigned" entry in there, instead of creating a new entry.
5. In the Settings tab, enable forms-based authentication so that users will receive the OWA logon screen.
6. If you're using the additional public IP address method rather than the existing IP address, configure your Internet firewall to direct inbound HTTP and/or HTTPS traffic for that IP address to your server's corresponding private IP address.
7. Go into IIS Manager to view the new website that corresponds to your new virtual server. Note the directory on the hard drive, and then browse to that location. It should be the same path as the original virtual server, which typically is C:Program FilesExchSrvrExchWeb.
8. Copy the ExchWeb directory and paste it into the ExchSrvr directory at the same level. You can call it ExchWebInternet.
9. Set permissions on the new ExchWebInternet directory to give users the desired level of access. For example, set Deny permissions for those users (or security groups) that should NOT be able to access OWA through the Internet.
10. If you are using SSL on your website, then you also should create a certificate for the new site. Be sure to specify a unique port number if you're using the same DNS name as the original site.

Once you've completed these steps, test the solution thoroughly using different user accounts.

Do you have comments on this Ask the Expert Q&A? Let us know.

Ask an Exchange Server question in our forum.