I had to take on a project that would restrict access to OWA from certain users that would access the external address of Exchange. There were many ways on how to do this using an application firewall such as MS TMG or FortiGate FortiGuard and even ADFS, these solutions would certainly work once configured properly but I had to make these changes with as little of an impact as possible to the current architecture and there were certain licence restrictions in place that would prevent the use of a third party tool.
Microsoft had a great blog post on their site by the Exchange Team on how to create the secondary site. In this post they highlighted that a particular security group needed to be added to the OWA directory to give IIS the proper permissions to allow it to access the folder. And that sparked an idea that went back to my MCITP readings. Deny permissions take precedence over allows.
If this was so then if we were to create a security group and add all the users we wanted to block to the group and given how IIS uses the authenticated users group to control access to the various directories we should be able to deny access to whomever we wanted. Sure enough once this was put into practice it did work. A little bit of pre-requisite knowledge can go a long way.
I will not go into the changes that would to be done to IIS since the Exchange team covers that readily. Good Luck with this little trick.
Comments
Post a Comment