Even after presenting whitepapers and articles showing that OWA has a very small attack surface, and the Exchange servers aren't directly behind OWA (the reverse proxy is) they still want it disabled...stupid {end-rant}
I've seen this question tons of times on forums and some of the answers go to extreme lengths like:
- Setting up separate virtual directories in Exchange with new IPs and DNS (that's way too much work)
- Setting firewall rules to block IPs (this is a bad idea, especially if you federate with another organization, as it will almost certainly break your free/busy sharing)
If you run a Kemp LoadMaster (or any load balancer for that matter) the solution is pretty simple:
Disable the OWA SubVS on the External Arm.
On your LoadMaster, navigate to:
Virtual Services > View/Modify Services > Your External Arm
Click the Modify Button in the right-pane:
Scroll down and expand SubVSs.
On the OWA row, click the Disable button under the Operation column on the right:
It will show Disabled under Status
Now browse externally to your OWA site and you'll get:
**Note** This will also disable external EAC access. So tell your IT security trolls (who came up with the not-so-brilliant idea to disable everything) that if an emergency occurs, you'll have go to your computer, connect to the VPN, log into the EAC, and fix what broke...there will be no more instant support.
On the positive side, free/busy, federation, ActiveSync, and Outlook Anywhere will still function properly.
Very nice approach.
ReplyDeleteI've been straggling for a while to find a way to limit/control external access to Exchange services, and I ended up using a very similar approach. Also using a KEMP Load Master.
If I only found your article week earlier, it would have saved me a lot of time :)
Keep up the good work!