Block Or Allow Selected Users Depending On Location And AD Group Membership In Microsoft Exchange 2010 Outlook Web App

[ 56 ] Comments
Share

A while ago, I wrote an article describing how you might block or allow certain users from using OWA depending on their location. For example, is it possible to only allow certain users access if they are on the LAN, but not from the Internet? There is currently no built-in way of doing this, but it’s possible if you are prepared to make a small change to one of the .aspx pages. My original method (being a bit crude) relied on the administrator maintaining a list of users in the source code for the logon page itself. Someone sent me a reply, asking if it might be done based on Active Directory group membership. This is, of course, a much better way of doing it. So here goes. It assumes you have a group named something like AllowExternalOWA.

First, locate the startpage.aspx file in C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\forms\premium . Make a backup copy, then open it in Notepad. About 5 lines down, you will see a line like this:

<%@ Import Namespace="Microsoft.Exchange.Clients.Owa.Premium.Controls" %>

Immediately after it, insert a block of code, like this:

<%
string strIP = Request.ServerVariables["REMOTE_ADDR"];
if(strIP.Substring(0, 8) != "192.168.")
{
System.Security.Principal.WindowsIdentity oUser = Request.LogonUserIdentity;
System.Security.Principal.WindowsPrincipal oPrincipal = new System.Security.Principal.WindowsPrincipal(oUser);
if(!oPrincipal.IsInRole("AllowExternalOWA"))
{
  Response.Write("Sorry, you are not allowed to access OWA from this location:" + strIP);
  Response.End();
}
}
%>

There are a few things to note in this code. In the third line, a check is made on the IP address of the client. In this example, the server is checking to see if the IP address begins with “192.168.” (i.e. it is within the private IP addressing range 192.168.x.x . If your addressing scheme is different (e.g. you use something beginning with 10.), you will need to change this line. The second number passed to the .Substring function must match the number of digits you are checking.

The second thing to note is the group membership check:

if(!oPrincipal.IsInRole("AllowExternalOWA"))

This is a (suggested) group name of permitted users. To make it check for blocked users (note the change in [suggested] group name), change that line to

if(oPrincipal.IsInRole("BlockExternalOWA"))

This takes care of the Premium client. To do the same thing for the Basic client (and to prevent users from circumventing your restrictions), add the same code to the basicmessageview.aspx file in the basic folder. Add the code just before the <html> tag near the beginning of the file.

As with most of these type of modifications, you will need to check that they still function after each product update. Sometimes your modified file will be replaced by a new one from the update.


56 Responses to Block Or Allow Selected Users Depending On Location And AD Group Membership In Microsoft Exchange 2010 Outlook Web App

  1. This is best article for one of the biggest requirement in most of the corporate house!!!!

  2. Frank says:

    This works as expected when adding a user to (“BlockExternalOW”) – the user is exclued when attempting to logon. However, after removing the user from the excluded group the user is still excluded until IIS has bee restarted. Is there a way to programatically update roles from the AD before checking is the user is in the excluded group and not have to restart IIS after a change?

  3. gb says:

    I’m having trouble implementing this.
    We’ve created an AD group called “RemoteEmailUsers” and added a test user.
    When connected to OWA from an IP address outside of our network, this user that’s supposed to have access is blocked. The account logs in normally inside the network.
    Any advice?
    Thanks!

  4. gb says:

    Thanks for that. Tried it and it reports false, though I know I am in the role.
    This is what I suspected. Am unsure how to proceed as I’m not terribly familiar with ASP. How could I list all of the roles for the user attempting to log in? I’d like to see if it’s pulling any of that info properly.
    Thanks again!

    • admin says:

      Try adding this before the line you just added:

      foreach (System.Security.Principal.IdentityReference oGroup in oUser.Groups)
      {
      Response.Write(oGroup.Translate(typeof(System.Security.Principal.NTAccount)).Value + “<br>”);
      }

  5. gb says:

    Thank you! That helped me to see the groups to which the user belonged and to fix the problem!

    When I originally created the group, I called it “Remote Email Users”, then changed it to “RemoteEmailUsers”. The ‘pre windows 2000′ name didn’t change when I renamed it. I removed those spaces and was able to get in.

    I’m testing it right now but think that it’ll be just fine.

    Thanks for your help and support, I appreciate it!! This script is fantastic.

  6. gb says:

    After using this for a while it’s really going to work!
    Is there any way to add an OR to the list of accepted IP’s? I’ve tried a couple of times but am not sure I’m going it right.
    In other words, I’d like to have something like:
    if(strIP.Substring(0, 8) != “192.168.” OR “10.10.1.”)
    but when I do this, it throws up an error.
    Thanks again for this sweet script!

    • admin says:

      This is C#, so you will need to use the || operator. Also, the way you have written it, while it may have actually compiled (had you used ||), is not as specific as it needs to be. Try this:

      if((strIP.Substring(0, 8) != "192.168.") || (strIP.Substring(0, 8) != "10.10.1."))

      This has an added (but small) benefit, in that you are also not restricted to comparing 8 digits, so you could also use:

      if((strIP.Substring(0, 8) != "192.168.") || (strIP.Substring(0, 6) != "10.10."))

      if you needed to.

  7. Frank says:

    Dude:

    awesome coding. we dropped outlook to save on licensing and this code let us use IE/OWA internal and only the external people to who we want in. no creating new virtual directories…….
    thanks

  8. Jeff says:

    Is there a way to only block by security group and not by IP? I have two OWA instances, I want one for internal and one for external so I want to explicitly filter a certain group from accessing the external site.

    Thanks

    • admin says:

      I’m not able to try it out, but it should work if you just use the central block

      System.Security.Principal.WindowsIdentity oUser = Request.LogonUserIdentity;
      System.Security.Principal.WindowsPrincipal oPrincipal = new System.Security.Principal.WindowsPrincipal(oUser);
      if(!oPrincipal.IsInRole(“AllowExternalOWA”))
      {
      Response.Write(“Sorry, you are not allowed to access OWA from this location”);
      Response.End();
      }

  9. Nate says:

    Does anyone know if this will work for Exchange 2013?

    • admin says:

      I don’t regularly use E2013 yet. But it should work if you can work out the correct logon.aspx file to insert it into. Can you find a logon.aspx file on your CAS server?

  10. Dustin says:

    I came across a problem with some users that I haven’t been able to fix yet. They were getting the disallowed prompt even though they were internal, and their IP addresses started with the range I specified. On the disallowed screen, it was not showing the users IP address, but the proxy server. Both the user and the proxy server IP’s were in the specified range of 10.25.x.x, but the user couldn’t get through.

    If I logged into OWA (I’m in the OutlookWebAccess AD group), it let me in.

    Here is the code I used:

  11. KarlB says:

    I just tried it on EX2013 and it worked.

    A few things to note:
    The file that needs to be modified is DEFAULT.ASPX in the C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa folder.

    I put the code after the line that says “” which was the 5th line from the top.

    I also had to adjust the IIS bindings to specify it only should bind to IPv4 address. It defaults to ANY IP address and IPv6 causes it to not work.

    Tested on W8.1 – IE11, CR 41.0.2272.118. Server 2012 R2 – EX2013(847.32)

    I confirmed also that an IISreset is necessary to adjust and test membership to the group.

  12. JimK says:

    Great piece of code, but I couldn’t get your example of the || Operator to work. However, I did get this to work:

    string strIP = Request.ServerVariables["REMOTE_ADDR"];
    if (strIP.Substring(0, 3) != “10.”)
    {
    if (strIP.Substring(0, 8) != “192.168.”)
    {
    System.Security.Principal.WindowsIdentity oUser = Request.LogonUserIdentity;
    System.Security.Principal.WindowsPrincipal oPrincipal = new
    System.Security.Principal.WindowsPrincipal(oUser);
    if(!oPrincipal.IsInRole(“OWA_External_Clients”))
    {
    Response.Write(“Sorry, you are not allowed to access OWA from this location:” + strIP);
    Response.End();
    }
    }
    }

  13. neeraj says:

    Hi,

    I am trying to use this code for all the users when they will login from the particular segment. When the user tries to log from the segment which has IP as 10.12.25 then uploading the attachments should be blocked. This is am achiving by adding your code in attachfiledialog.aspx file.

    We have 2 CAS servers and 2 mailbox servers when am trying to login from 10.12.25.65 and 10.12.25.66 this setting is working but when i am trying the same from mailbox server i.e. IP 10.12.25.63 or 10.12.25.64 this setting is not working.

    • admin says:

      Try adding some code to reveal the client IP address – you may find that it is using an IPv6 address. Add this as the second line of extra code
      Response.Write(“IP address = ” + strIP);
      and look for it in the page source from the IE View menu.

  14. harold mcmullen says:

    question: the original code does well for allowing specific users to login from other ipaddress. but blocks all internal owa users. what if you want owa to work for every user internal to organization, but only a few select users from outside. (internet)?

    • admin says:

      Hi Harold. The code should not block internal users. What code do you have for making the comparison against the internal IP address (looks like this in the article)?

      if(strIP.Substring(0, 8) != “192.168.”)

      You may find that the server has an IPv6 address in the variable strIP, in which case the comparison will always fail.

  15. harold mcmullen says:

    admin,
    maybe I am confused. (ok I am)…what I am trying to do is allow internal use of owa to all staff, but restrict external use of owa to a few managers.
    Not sure if you can help me, but I surely appreciate any and all comments and for you taking the time to answer my request.
    -harold

    • admin says:

      That is what the article should do for you. All internal use is allowed, but only restricted external use. If that is not what you get, then we need to investigate a little. You say that your internal users are getting blocked, so the message they see should indicate what the server thinks their IP address is. This might not be what you are expecting, for example it might be an IPv6 address, not an IPv4 address. Or it might be the address of a proxying server. Can you give me an example of the IP address that is displayed when they see the message

      Sorry, you are not allowed to access OWA from this location xxx.xxx.xxx.xxx

  16. harold mcmullen says:

    hey admin,
    sorry but I used a code from another of your pages. utilizing the code above does not throw the error anymore. but we haven’t used OWA from outside in years so I have to get dns and isa ready before I can test out the code externally.
    I will followup as soon as I get there.

    thank you again for taking the time out to help me.
    -harold

  17. harold mcmullen says:

    hey admin,
    got a real life test of the code and here is what happened:
    (right now, we allow managers to access OWA from home by vpn’ng into lan and then accessing OWA, and we also allow any staff to access OWA when they are at work logged into our lan.)
    I took the above code and placed it into startpage.aspx as described above, substituting 10.1 (our internal ip) for 192.168.
    I created security group with the all the users allowed access from outside.
    (when a staff member vpn’d into the Lan and tried to open OWA, they received the error msg: sorry, you are not allowed… )
    (also, when another staff person tried to access OWA during the day while at work logged into our Lan, (from ip 10.1.x.x) they received same error message.
    Am I doing something wrong or am I doing something wrong? any suggestions?
    ps. thanks in advance for your assistance.
    -harold

    • admin says:

      Okay, first thing (and something that catches a few people out) is this. The article has

      if(strIP.Substring(0, 8) != “192.168.”)

      You are changing the IP range to “10.1″, which is 4 characters in length, so make sure you don’t just have

      if(strIP.Substring(0, 8) != “10.1″)

      You need

      if(strIP.Substring(0, 4) != “10.1″)

      i.e. the (0, 8) needs to change to (0, 4). If you leave it as (0, 8), the comparison is meaningless.

      Next, does it say what there IP address is after the “Sorry, you are not allowed…” message? Does it look like an IPv4 address (which is what the article assumes), or an IPv6 address?

  18. harold mcmullen says:

    -changed to “f(strIP.Substring(0, 4) != “10.1″)”
    -yes the ip address is ipv4 not ipv6…(192.168.x.x)
    i am going to try again this eve, will update after that
    thanks again,
    harold

    • admin says:

      Hi Harold. You gave your example IP address as 192.168.x.x . Is that correct, or did you mean to type 10.1.x.x ? If you compare a 192.168 IP with 10.1 it will never match.

      What sort of IP address does is give when it says “Sorry, you are not allowed to access OWA from this location: xxx.xxx.xxx.xxx” ? Is it 10.1.something ?

  19. harold mcmullen says:

    hey admin,
    I am not a programmer nor do I play one on tv, but I am confused. Let me show you what I am doing and tell me where I am messing up.

    so…right now, we want about 15 staff members to have the ability to log into our owa from anywhere in the world.(will actually be from somewhere in town, but…) OK, so I created security group with 15 staff and call it “AllowExternalOWA”
    then I make a backup copy of “startpage” and then add the following code to “startpage”.

    Our internal ip scheme is 10.1.x.x

    so I changed following bit

    if(strIP.Substring(0, 8) != “192.168.”)
    to
    if(strIP.Substring(0, 4) != “10.1″)

    Is this correct?

    or am I way off base?

    -harold

  20. harold mcmullen says:

    well, that is the problem. when I used phone to try to access owa (turned off wireless and used 3g) I was allowed in. but my work associate, who is not in security group, also was able to log into owa from his phone when he turned of wifi and used his 4g phone. so it appears to not block anybody.
    now let me ask you a couple of questions:
    1:how does it know to check against the security group.
    2:my work associate…he is member of exchange admin group…but not a member of the “AllowOWAExternal” security group…would that be why he can acces owa even tho’ not a member of security group?
    -let me say, I truly appreciate all of the time you have taken out of your time to help me with this question/problem. I am sure you are very busy in your daily endeavors, and to take the time to help me is very nice of you. thank you…-Harold
    ps. I also apologize for being an idiot when it comes to this stuff…believe me, there are some things I know a lot about…this isn’t one of them!!

    • admin says:

      Don’t worry Harold – it’s only by solving problems that we really learn anything – myself included. It’s quite likely that there is something I’m not noticing. For one thing, my latest assumption was that no-one could access it, rather than everybody.

      The bit that checks group membership is this

      if(!oPrincipal.IsInRole(“OWA_External_Clients”))

      The exclamation mark ! means ‘Not’, so basically, it is saying ‘if the user is not in the OWA_External_Clients group, then execute the following block of code’, which is meant to display the message, and then stop execution.

      One thing you might try (to help troubleshooting) is to insert the line

      Response.Write(“User is in group = ” + oPrincipal.IsInRole(“OWA_External_Clients”));

      before the above if… line, and see if you can see the word ‘true’ or ‘false’ displayed anywhere. That will tell you if it believes that the user is in the group, or not. You may need to look at the browser’s page source to see it, since randomly inserted bits of text like this are easily hidden by css-positioned DIVs.

      Another thing is to make sure (especially if you copy/paste code from a WordPress blog like this) that any quotes in your code are the nice simple ones that are just vertical lines of a few pixels, and not the ‘fancy’ ones made of a blob and a curly tail. WordPress thinks we like the fancy ones, but they break code, since they are not legal quote characters in code.

  21. harold mcmullen says:

    hey admin…whom I suspect is “lee”… thanks. finally got it to work. thanks for the help, advice, and kind words.

    -harold

    • admin says:

      That’s great news. Yes. my name is Lee Derbyshire, but I haven’t taken the time to set up a personal account on the site, rather than use the built-in admin account. One day…

  22. JG says:

    Such a good article. Many thanks

  23. toddo says:

    Can’t seem to get it to work on Exchange 2013. Followed KarlB’s suggestion and copied over your code verbatim to the default.aspx file. Not restricting access. Please advise.

    Thanks.

    • admin says:

      Hi Toddo. How many Exchange servers do you have? If it’s more than one, I’ve discovered that you need to do it on each one, not just the CAS.

  24. toddo says:

    its only a single Exchange server. I also found another post of yours that you had a code for 2013. Tried following those instructions as well and still not working. any ideas?

  25. toddo says:

    logon.aspx? I thought it said to edit the default.aspx.

    • admin says:

      Oops, yes. Of course. I did some other mods for the logon.aspx . Sometimes I forget which one we’re talking about. Send me the default.aspx file.

  26. toddo says:

    i’ll move this post to the other blog for Exchange 2013.

    Thanks.

  27. Sunil says:

    Hi, I want to disable owa for particular group members where the should not have access owa from outside the network. I have created group “BlockExternalOWA”, owa is now not working inside the network also, i used below command. We are using Exchange 2010.

    • admin says:

      Hello. I can’t tell what you mean by ‘I used below command’. Can you post for me the code you inserted into the startpage.aspx file?

  28. jason.huang says:

    Hi, I want to disable owa from outside the network where the should not group . We are using Exchange 2010.

    • admin says:

      Hello Jason. I’m not entirly sure what you are asking, but I think the article describes what you want to do. Are you having a problem implementing it?

      Or do you wnat to block external OWA access completely? That can be done with the optional IIS component called ‘IP Address Restrictions’.




Leave a Reply to gb Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>