1

We're hosting several domains on our infrastructure, exchange and blackberry hosting included. Some of our clients have a direct vpn-connection into our datacenter because it's needed for their applications.
And this causes following problem:
Some Outlook clients connect to our exchange-server via direct mapi (tcp/ip - not via rpc over http) and that causes, that they can see every mail-address from other domains.

That's why we want to avoid users from connecting their clients directly via tcp/ip. They should only connect via rpc over http. Is there any whay to accomplish this without avoiding our BlackBerry Enterprise Server to connect to our exchange?

wullxz
  • 1,023
  • 2
  • 15
  • 29
  • 1
    Are you not using segregated address books? – joeqwerty Apr 19 '11 at 21:11
  • it's not possible to separate these subnets because outlook is hosted on windows-terminal-servers, that require access to our management-subnet. – wullxz Apr 20 '11 at 13:00
  • 1
    I'm talking about segregating the address books in Exchange, not changing your subnets. – joeqwerty Apr 21 '11 at 00:50
  • We can only half-segregate the address books. Sadly, our infrastructure is grown bit by bit. To solve this, we have to rebuild AD, Exchange etc. It's already planned, but not in next time. For now, our only chance is to prohibit direct MAPI-connections. – wullxz Apr 21 '11 at 06:44
  • Hopefully you do have a firewall between your servers and these VPN connections. You can block MAPI there just by not opening any MAPI-related ports. – icky3000 Apr 21 '11 at 18:51

1 Answers1

1

You can configure Oulook to prefer RPC/HTTPS connections instead of direct RPC even if it's available, but if I understand your question correctly, those are external clients and you don't manage them, so it would be left to the users to configure it correctly.

You can't disable MAPI access on the Exchange server, as it would block "true" internal users and MAPI services/applications (like BES).

Your only option is blocking traffic. I don't know what are you using as a VPN endpoint, but most devices can apply firewall policies to VPN traffic; just block direct access from the VPN clients to the Exchange servers and you should be fine. If you can't do this on the VPN endpoint, then your other option is configuring Windows Firewall on the Exchange servers to do the same.

Massimo
  • 68,714
  • 56
  • 196
  • 319