Hi Experts,

We have exchange 2013 CU5 & Office 365 Hybrid

We have allowed auto-discover externally also.

Our concerns with current setup are:

1. users, if they know email address /password they can configure their outlook @ home or outside the Org. - As per policy not allowed in our org...:(

2. So we need to know if we block autodiscover externally what would be the impact?

3. Our goal is to only allow domain machines to be configured with outlook. Is there any alternative for this?

Please suggest right solution for this sc

Hi Manju,

Its not autodiscover you would want to block, but Outlook Anywhere.

Autodiscover is helping your users to discover the configuration, and its possible to configure outlook without it.

Refer to these solutions:

Disabling Outlook Anywhere for External Users with Exchange 2013

Set-OutlookAnywhere

Exchange 2013: Configuring Outlook anywhere

You may leave the external hostname blank if you do not want your external clients to connect to Outlook Anywhere from internet.

I saw the 1st thread, But as the user the told, even I want only outlook to be blocked externally & all other service should work normally.

Blocking AutoDiscover does not achieve the target you set. Users are still able to configure it manually.

The proper way is not to expose your Exchange service to Internet. This is by default already in place assuming your Exchange servers are holding private IP address. If you have already configured your firewall or reverse proxy to facilitate external access, just rollback the changes.

We have NATed the HLD IP to our external URL in Firewall. mail.domain.com

If the inbound mail flow also go through the NATed IP, you need to restrict the NAT to SMTP (port 25) only. I.e. don't allow HTTPS traffic to reach HLB.

Otherwise, you can simply remove the NAT.

Little confusing here,

We use this NATes URL - mail.domain.com for ActiveSync & OWA. If we remove this, it would be a challenge for configuring ASync know :(

But you didn't mention you need to have external access for ActiveSync and OWA :)

In this case the recommended approach is to have a reverse proxy to published Exchange services to Internet. A reverse proxy can selectively published OWA and ActiveSync while blocking Outlook Anywhere.

Another approach is to use internal names for all URL (e.g. mail.mydomain.local), including OAB/EWS virtual directory internal/external URL, Outlook Anywhere internal/external hostname, AutoDiscoverServiceInternalUri for all CAS. In this way, users from public network is not able to resolve any name to IP, hence Outlook is not able to access email from public network. But you need to have private CA to issue SSL cert with internal names.

But you didn't mention you need to have external access for ActiveSync and OWA :)

In this case the recommended approach is to have a reverse proxy to published Exchange services to Internet. A reverse proxy can selectively published OWA and ActiveSync while blocking Outlook Anywhere.

Another approach is to use internal names for all URL (e.g. mail.mydomain.local), including OAB/EWS virtual directory internal/external URL, Outlook Anywhere internal/external hostname, AutoDiscoverServiceInternalUri for all CAS. In this way, users from public network is not able to resolve any name to IP, hence Outlook is not able to access email from public network. But you need to have private CA to issue SSL cert with internal names.

• Proposed as answer by Li Zhen 23 minutes ago

Hi Manju,

Give this a shot and let me know if it works for you.

You may leave the external hostname blank if you do not want your external clients to connect to Outlook Anywhere from internet.

Do this for every CAS you have.

set-OutlookAnywhere -Identity:'CAS01' -ExternalHostName:''


Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -IISAuthenticationMethods NTLM

References:

Set-OutlookAnywhere:

https://technet.microsoft.com/en-us/library/bb123545(v=exchg.150).aspx

Configure an External Host Name for Outlook Anywhere:

https://technet.microsoft.com/en-us/library/aa996902(v=exchg.141).aspx