Block Or Allow Selected Users Depending On Location In Microsoft Exchange 2010 Outlook Web App

[ 23 ] Comments
Share

Please note that this article has been replaced by a newer version, which I think is better.

Block Or Allow Selected Users Depending On Location And AD Group Membership In Microsoft Exchange 2010 Outlook Web App

Occasionally, someone will ask if it is possible to block or allow certain users from using OWA depending on their location. For example, is it possible to only allow certain users access if they are on the LAN, but not from the Internet? There is currently no built-in way of doing this, but it’s possible if you are prepared to make a small change to one of the .aspx pages.

First, locate the startpage.aspx file in C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\forms\premium . Make a backup copy, then open it in Notepad. About 5 lines down, you will see a line like this:

  <%@ Import Namespace="Microsoft.Exchange.Clients.Owa.Premium.Controls" %>

Immediately after it, insert a block of code, like this:

  <%
  string strIP = Request.ServerVariables["REMOTE_ADDR"];
  if(strIP.Substring(0, 8) != "192.168.")
  {
    string strUser = Request.ServerVariables["REMOTE_USER"].ToUpper();
    int p = strUser.IndexOf("\\");
    if(p != -1)
      strUser = strUser.Substring(p + 1);
    Boolean blnFound = false;
    if(
       (strUser == "USER1")
    || (strUser == "USER2")
    )
      blnFound = true;
    if(!blnFound)
    {
    Response.Write("Sorry, you are not allowed to access OWA from this location:" + strIP);
    Response.End();
    }
  }
%>

There are a few things to note in this code. In the third line, a check is made on the IP address of the client. In this example, the server is checking to see if the IP address begins with “192.168.” (i.e. it is within the private IP addressing range 192.168.x.x . If your addressing scheme is different (e.g. you use something beginning with 10.), you will need to change this line. The second number passed to the .Substring function must match the number of digits you are checking.

The second thing to note is the list of user names:

    if(
       (strUser == "USER1")
    || (strUser == "USER2")
    )

this will obviously be different for you. I have formatted it so that you can easily add lines for extra permitted users by inserting something like:

    || (strUser == "USER3")
    || (strUser == "USER4")

inserted lines must begin with || (the C# OR operator), and they must come before the final closing bracket at the end of the list.

The last thing to note is that this is a list of permitted users. To make it a list of blocked users, change the line

    if(!blnFound)

to

    if(blnFound)

This takes care of the Premium client. To do the same thing for the Basic client (and to prevent users from circumventing your restrictions), add the same code to the basicmessageview.aspx file in the basic folder. Add the code just before the <html> tag near the beginning of the file.

As with most of these type of modifications, you will need to check that they still function after each product update. Sometimes your modified file will be replaced by a new one from the update.


23 Responses to Block Or Allow Selected Users Depending On Location In Microsoft Exchange 2010 Outlook Web App

  1. Joe says:

    Can you take it one step further and query their AD security Group memberships then allow or disallow based on the group name? This would allow the updating of the list to be done on the AD side and never touch this file again.

    • admin says:

      Hi Joe. I’ll have a look, when I get some spare time, and see if I can do this.

    • admin says:

      Hello again Joe. I don’t have time to write this up yet, but the code is basically going to be something like this. The group BlockedOWAUsers contains the users you don’t want to access OWA externally. If you want to do it the other way round, put an exclamation mark after the opening if( bracket.


      System.Security.Principal.WindowsIdentity oUser = Request.LogonUserIdentity;
      System.Security.Principal.WindowsPrincipal oPrincipal = new System.Security.Principal.WindowsPrincipal(oUser);
      if(oPrincipal.IsInRole("BlockedOWAUsers"))
      {
      Response.Write("Sorry, you are not allowed to access OWA from this location:" + strIP);
      Response.End();
      }

      • Joe says:

        Thanks very much for taking the time to look into this and reply. I will test this out today and let you know how it went!!

        Thanks!

  2. Jason says:

    Fabulous article this so far is saving me a lot of work. I’m using the code for blocking based on group membership and it’s blocking the way it should be but I can’t get it to show the Response.Write it just goes back to the Login Page and and says the username/password is incorrect.

  3. Tony says:

    Howdy,

    I have been trying to get this to work on exchange 2013 and it doesnt seem to do anything. I have tried this version of the code and the one on

    http://blog.leederbyshire.com/2013/03/13/block-or-allow-selected-users-depending-on-location-and-ad-group-membership-in-microsoft-exchange-2010-outlook-web-app/

    I wanted to see if anyone had gotten it to work for exchange 2013?

    Thanks in advance.

  4. Jon says:

    Hello. Was recently tasked with blocking certain users from external OWA access and didn’t know where to start. Found this page and it seems like exactly what I need. But when I tried to implement the lines of code and test, it didn’t work.

    I am a little confused on the IP address section. Should the IP listed be part of my network? We use multiple subnets. So for example, if one of my subnets is 10.218.5.x, should I be changing that line? Sorry, inherited this server and not really up to speed on these things.

    • admin says:

      Hello Jon. First, can I point you to this article, instead? I think it’s a bit easier to maintain.

      http://blog.leederbyshire.com/2013/03/13/block-or-allow-selected-users-depending-on-location-and-ad-group-membership-in-microsoft-exchange-2010-outlook-web-app/

      There are a few ways of looking at it. Well, four, actually. Here is an example. Say you want members of a certain AD group (the ones you want to block) to only be allowed to access OWA internally. So, you test for group membership, and then check if their IP address is in your private IP address space. That is where you use your value of “10.218.5″. Remember, though, when you compare the string to also be aware of the length of the string you are comparing it to. You will need to use

      if(strIP.Substring(0, 8) != “10.218.5″)

      (i.e. you need 0, 8). Sometimes people forget to change the 8, and do something like

      if(strIP.Substring(0, 8) != “10.210.”)

      which is fairly meaningless.

  5. Jon says:

    Thanks for that. This works tremendously! My mind was thinking of it backwards. It makes perfect sense now. Any future inquiries, I’ll refer to that new page you linked. Thanks again

  6. Shanaya says:

    Is it not possible to do this thing from ECP in exchange server 2016?????

  7. Shanaya says:

    I don’t understand meaning of this statement :”The second number passed to the .Substring function must match the number of digits you are checking.” What we have to check here?? Plz explain with an example.

    • admin says:

      I don’t have E2016, I’m afraid. I don’t think I’m likely to get it anytime soon. It’s worth mentioning, though, that under the surface, most things remain the same from one version to another.

    • admin says:

      In the code, there is the line
      if(strIP.Substring(0, 8) != “192.168.”)
      the second parameter is 8, because “192.168.” is 8 characters long. If you wanted to compare a different IP range substring, like “10.0.” (which is 5 characters), you would use.
      if(strIP.Substring(0, 5) != “10.0.”)

  8. Shanaya says:

    Okay Thank u sir…
    Sir,What should I’ve to do if I want to block the users from multiple network???
    Should I give these command??

    <%
    string strIP = Request.ServerVariables["REMOTE_ADDR"];
    if(strIP.Substring(0, 11) != "192.168.10.")
    if(strIP.Substring(0 . 11)!=""192.168.11.")

    Will It work??
    Or please tell me what to do in case we have to block users in Multiple networks.

    • admin says:

      Hello. You’d need to use the C# OR operator (||) in a single line:

      if((strIP.Substring(0, 11) != “192.168.10.”) || (strIP.Substring(0,11) != “192.168.11.”))

      But if you don’t have other subnets that DO require access, it would be easier to use just:

      if(strIP.Substring(0, 8) != “192.168.”)

  9. Tim says:

    I’m attempting to port this code to Exchange 2013. I’ve seen the similar writeup you did for 2013 using AD Groups, but I don’t want to go that route. My goal is to simply block Administrator from accessing OWA externally. Using this code and the writeup you did for 2013, I’ve been trying to get this to work. I have not been successful. This is Exchange 2013 on Server 2012r2. The startpage.aspx file from Server 2008 does not seem to exist. I’ve instead tried to add this code to the default.aspx file at \Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa. I’ve not had any luck. I can’t even demonstrate that I’m actually using this file. I tried putting just the Response.End() line at the top of the file to comletely break it to prove that it’s the correct file but had no luck with that either.

    I’m not sure how to determine which file is actually getting used. Since nothing in the web server configuration seems to point to any given file, I would assume that is is using default.aspx in the configured directory, but this does not seem to be the case.

    • admin says:

      Exchange makes a few sneaky changes to IIS (I think they now make it more complicated just for the fun of it), so it’s hard to work out what’s going on. I’m on vacation at the moment, so I don’t have anything to look at, but I think the file to change is in frontend/httpproxy or httpproxy/frontend or something like that. Or maybe it’s changed in the latest service pack. I’ll have a look next week, but what’s in the article should work now. I had to revise it a few times, though. I’m not going to bother with E2016 – I’m tired of playing catch-up :-)




Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>