Windows Server - enable outlook web access and RWW on LAN only?

Asked By sortasbsguy on 04-Sep-08 03:41 AM
Is there a way to enable OWA and RWW for PCs on the local
network, but to disable access to them from the outside world? I'm
planning on forwarding port 443 through the firewall specifically for
exchange RPC over HTTPS transport, but don't want people to be able to
get to OWA or RWW unless they are on the local nework, or connect
using VPN (and end up on a local subnet.)

If I uncheck the CEICW wizard checkboxes for enabling OWA and RWW
from the internet, then unfortunately I don't get the OWA option from
a web broswser even when I am on the local network.

Is there a way to enable them from the CEICW, but do something
with IIS/security settings or some such thing to exclude traffic
coming from the outside world? Thanks,




sortasbsguy replied on 04-Sep-08 03:41 AM
I forgot to mention, it is a SBS2003 server with a single network
interface and an external cisco asa firewall/router doing the port
forwarding. Thanks,
Cris Hanna [SBS - MVP] replied on 02-Sep-08 11:15 PM
When you run the Connect to Email and the Internet Connection Wizard (CEICW)
you will have the option to block OWA and RWW via the firewall.

RWW is not intended as an "inside the lan" technology.   If you are inside
the lan with a workstation, why would you want to connect to another desktop
to do your work?   And if you inside the lan, you should be using Outlook
for email rather than OWA.

--
Cris Hanna [SBS - MVP]
Co-Author, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1

------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.
Russ \(www.SBITS.Biz\) replied on 02-Sep-08 11:23 PM
You can try this.
Restrict that website to Local IP's

Open up IIS
Expand Default Website
Right Click on ExchWeb
Properties
Directory Securities Tab
Click button "Edit" IP addresses and Domain restrictions.
Restrict to all Except Computers
Click Add then put in your IP Network and Subnet mask

Repeat for Remote
That might work
Russ


--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide Remote SBS2003 Support - http://www.SBITS.Biz
Larry Struckmeyer [SBS-MVP] replied on 03-Sep-08 07:45 AM
Hi Sorta:

I would be very interested in knowing why you feel the need to do what you
have listed.  Can you explain?

-Larry
sortasbsguy replied on 04-Sep-08 03:42 AM
Where I find OWA and RWW useful is from the outside world in the
oddball case where the cisco vpn client doesn't work and someone has
to use the cisco's web VPN. The web VPN isn't a full VPN, it's
basically a port-forwarding proxy that runs on the remote computer and
can only forward a finite number of ports, and in this case with just
SSL/443 forwarded, using OWA/RWW you can access both email and remote
desktop. I'm just a bit reluctant to open up OWA & RWW completely to
the outside world, having the extra layer of VPN security seems like a
reasonable restriction for things other than outlook RPC/HTTPS email.

I agree, normally, if you can VPN in or are on the local network
OWA and RWW don't make much sense.

I saw the IIS IP-based restriction & thought that might be the
way to go, will give it a shot. Just a quick question - would that
have to be done for all of the websites under Default Website? I'm
noticing quite a few SBS2003 & dell related things there -
ConnectComputer, dell ArrayManager, ClientHelp, & two of our local
intranet-only websites (internal test/staging area for our corporate
web page, and bugzilla)

Many thanks for all the help.


On Sep 3, 4:45 am, "Larry Struckmeyer [SBS-MVP]" <lstruckme...@mis-
Russ \(www.SBITS.Biz\) replied on 03-Sep-08 05:03 PM
in the IIS Suggestion is only for the two I mentioned under default.

And IMO from a connection situation
RWW is just a Secure as a VPN connection
bad passwords  = Bad Security.

But as far as Virus's?
IMO VPN it's LESS secure.
Since you don't know what the status of the REMOTE computer is when it
connects to the LAN

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide Remote SBS2003 Support - http://www.SBITS.Biz