Disable MAPI over HTTP connection to ensure Allowed users can logon from open Internet!!
There was this peculiar requirement where we had to ensure that a user sitting inside the Organization(also branches) is able to use MAPI account but only selected user to be allowed to access the same from Internet.
As we all know MAPI over HTTP can allow users to connect to Exchange servers and create a connection using mail clients and allowing creation of pst's.
To stop such access for specific users and also allow to some privileged users was a great challenge.
It was clear that nothing much could have been done from Exchange Consoles as we just had an option to enable/disable MAPI for a user but no options to disallow him when connected from Internet.
What we did was work on the permissions of the RPCproxy.dll file which is responsible for the Outlook Anywhere(RPC over HTTP) service. Here you can create a security group for the users to be allowed and remove "EVERYONE" from permission from your Internet Front End.
File Location: C:\Windows\System32\Rpcproxy
Note: In case of Exchange 2010 the same file is not available until you enable the Outlook Anywhere service on the CAS server.
The Exchange 2010 does not have the "Everyone" permission level on Rpcproxy.dll file
As we all know MAPI over HTTP can allow users to connect to Exchange servers and create a connection using mail clients and allowing creation of pst's.
To stop such access for specific users and also allow to some privileged users was a great challenge.
It was clear that nothing much could have been done from Exchange Consoles as we just had an option to enable/disable MAPI for a user but no options to disallow him when connected from Internet.
File Location: C:\Windows\System32\Rpcproxy
Note: In case of Exchange 2010 the same file is not available until you enable the Outlook Anywhere service on the CAS server.
The Exchange 2010 does not have the "Everyone" permission level on Rpcproxy.dll file
Comments
Post a Comment