Controlling EWS access in Exchange 2010 SP1


Another example of a late-breaking change in Exchange 2010 SP1 that causes authors to tear their hair out (if they have any) is the new ability to control access to Exchange Web Services (EWS) on an organization-wide or user-specific basis. Organization-wide access is controlled through the Set-OrganizationConfig cmdlet while the Set-CASMailbox cmdlet controls access on an individual basis.

For example, to block access for a user:

Set-CASMailbox -Identity 'Joe Soap' -EWSEnabled $False

A quick description of the available parameters is shown below:

EWSAllowEntourage Specifies whether to allow or disallow Entourage 2008 for Mac, Web Services Edition to access Exchange Web Services for the user. Note that Entourage 2008 uses EWS exclusively, so this parameter can be used to block Entourage 2008.
EWSAllowList Specifies the applications  as identified by user agent strings that can access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set  to EnforceAllowList.
EWSAllowMacOutlook Specifies whether to allow or disallow Outlook for Mac to access Exchange using EWS. Future versions of Outlook for Mac will use EWS exclusively.
EWSAllowOutlook Specifies whether to allow or disallow Outlook 2007 to access Exchange Web Services for the user. Outlook uses Exchange Web Services for free/busy, OOF, and calendar sharing.
EWSApplicationAccessPolicy Specifies which applications other than Entourage, Outlook for Mac 2011 and Outlook can access Exchange Web Services. If set  to EnforceAllowList, only applications specified in the EWSAllowList parameter are allowed access to Exchange Web Services. If set to EnforceBlockList, every application is allowed access to Exchange Web Services except the ones specified in the EwsBlockList parameter.
EWSBlockList Specifies the applications (user agent strings) that can’t access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set to EnforceBlockList.
EWSEnabled Specifies whether to globally enable or disable Exchange Web Services access for a user, regardless of which application is making the request.

When the EWSEnabled parameter is set to $false, Exchange Web Services access is turned off regardless of the values of the EWSAllowEntourage parameter.

For example, you could set organization access up so that EWS is only enabled for Outlook, Entourage, and a user agent that presents the string “OurGreatApp”:

Set-OrganizationConfig –EWSEnabled $True –EWSAllowOutlook $True -EWSAllowEntourage $True   –EWSApplicationAccessPolicy: EnforceAllowList
–EWSAllowList: {“OurGreatApp*”}

SP1 does not expose any UI in EMC or ECP to control EWS access. This may appear in a future service pack for Exchange 2010, or then again, it might not… Now the question is whether I can fit this information into the book or is it just too esoteric to make me want to omit it, given that space is tight anyway…

– Tony

Learn lots more about how to control Exchange 2010 clients in my Microsoft Exchange Server 2010 Inside Out book!

Other information (24 March 2011) from a correspondent who was struggling with EWS access. He writes:

It was a new consultant who found this document (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022), followed it from page 8 onward, and recreated three publishing rules in TMG2010 (and also changed something related to authentication under ”Client Access Server” in Exchange). After that, it looks like everything works, including Outlook 2011 for Mac from outside the office, setting Out of Office replies via iPhone (even reliable Scheduling Assistant and Mail Tips when using Outlook Anywhere in Outlook 2010 for PC!).

We also needed forms based authentication (I think) to work for our OWA since some people need to be able to change their expired passwords via the Web. That was not working earlier, either.

Advertisements

About Tony Redmond ("Thoughts of an Idle Mind")

Exchange MVP, author, and rugby referee
This entry was posted in Exchange, Exchange 2010 and tagged , . Bookmark the permalink.

20 Responses to Controlling EWS access in Exchange 2010 SP1

  1. Jonas says:

    Dear Tony:
    Thanks for the informative article.
    We are at an impasse with EWS. No one seems to know anything about this technology. Even the most renowned Exchange and security experts cannot get EWS to work correctly and there is no proper documentation anywhere (which leaves us scavenging the web for snippets like this article). We are behind a TMG 2010 firewall, I might add, but the whole OA service–which should include EW, I believe–is published in it.
    We need help and we need it now. Can you, or can you refer us to someone who can?
    We are located in Sweden but I suppose it could be done online.
    Please, help!

  2. I am in the same predicament. I have even bought some of the video trainings like trainsignal on the subject and really need to use this. You would think there would be something out there. I can’t get any of my programs that I want to send me status updates and emergency messages to work with it and the code snippets I have found have no contextual elaboration so I am really fustrated since my sever just went down and if ews was working I would have gotten notified two days before my whole company ended up without email. This really sux.

  3. I am looking for a way to disable EWS access for Mac Outlook 2011 from external (via TMG). If I shutdown EWS for all Outlook 2011, we disable that internally, which is not good. I can’t just shutdown EWS all together, we have our Windows clients requiring this. Looking for suggestions on how to accomplish this, appreciate any direction.

  4. Todd S. says:

    I want to disable Apple Mail or Mac Mail client from connecting to Exchange 2010. If our policy doesn’t allow Outlook Anywhewre for Windows clients, why would we allow non-domain joined personal Macintosh computers to bypass the policy and connect to Exchange. Does the -EWSAllowEntourage $False or -EWSAllowMacOutlook $False commands block Mac Mail clients? In my testing it has not. I can’t turn off EWS alltogether since I need Outlook, ActiveSync, OOF and Free/Busy, and Calendar Sharing to work. I’m a novice at PowerShell, so please help me with a script to turn off Mac Mail for the organization. Thanks.

    • I don’t think Apple Mail or Mac Mail use Exchange Web Services to connect to Exchange. AFAIK, only Outlook 2011 for Mac and Entourage for Mac (EWS edition) use Exchange Web Services. However, I am not an Apple Mail expert by any means and suggest that you need to do some research elsewhere. Maybe they connect using POP3 or IMAP4, in which case you can disable these protocols or selectively disable them on a user by user basis.

      TR

      • FT says:

        @TR, Nope. Apple Mail or Mac Mail don’t use IMAP or SMTP. they use Exchange Web Services to connect to Exchange.

      • I think that in the past Apple Mail and MacMail used IMAP (for access) and SMTP (to send mail) when they needed to connect to Exchange. I’m happy to hear that they have upgraded to use EWS. I wouldn’t have noticed, as I use Outlook 2011 for Mac, which has always had the sense to use EWS.

        TR

  5. bserebin says:

    Actually, Apple Mail (5.2 [on 10.7.3] & 4.5 [on 10.6.8]) uses EWS. You can easily see this in the IIS CAS logs. Outside of throttling down EWS for the default policy and then opt-in users to a more lenient policy, I’m not aware of another option…. yet for Exchange 2010 SP1.

  6. Adam says:

    We are having issues getting Mac Mail 5.2 to work correctly. Mac Mail 4.2 works fine, Outlook 2011 fine, but Mac Mail 5.2 – Not a chance. Anyone successfully published MAc mail 5.2?

  7. DwaineD says:

    HI Tony, Thank you for the informative article. I am however Having a Problem with the command it is not accepting $true or 1 as an option after allowMacOutlook is there a way I can do this in ESM or check if it is enabled in the shell? We are having an issue with the MAC outlook connecting to POP3 where as the normal MAC mail client works. Would the command I am talking about be the issue here?

    • Hi Dwaine,

      There’s no ESM option to change the EWS settings for an organization. You’ll have to run the Get-OrganizationConfig cmdlet in EMS to check on the current value of EWSAllowMacOutlook.

      But EWS has nothing to do with POP3 so setting it won’t cure a problem that you might be having using that protocol…

      TR

  8. Pingback: E2K10 – EWS | Jonson Yang

  9. Ian Fischer says:

    From what I have read, (I have E2007, SP3) there is no way to lock this down or restrict who can use EWS, unless I am running E2010. Therefore I am looking into deleting the virtual directory. Before doing so, I need to be SURE it won’t break OWA or EAS. Can anyone assure me of this?

  10. Ian says:

    I was able to lock down this service by restricting the IP subnets it’s allowed to communicate with via IIS for the /EWS website. I basically permitted all my internal subnets and blocked everything else. Works great.

  11. Thanks for the update, can I set it up so I get an alert
    email every time there is a new update?

  12. Pingback: LinkedIn Security/Information Risks with Exchange « Adam Fowler – I.T. From Australia

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s