en Exchange 2003 came out, it offered Outlook Anywhere, although it was called “RPC/HTTPS”. This was an all or nothing service. In other words, if you set up Outlook Anywhere on the server then every user was able to use it. This poses a data security risk because users could connect to their mailbox from any Outlook client and download a copy of their mailbox, without using VPN or any other security checks on the remote system.
In Exchange 2007 (after SP1) and 2010, Outlook Anywhere permissions and capabilities are more granular. You can set up Outlook Anywhere within the environment and then limit the ability on a per user basis.
This must be configured using Exchange Management Shell. Here is the PowerShell cmdlet to Outlook Anywhere for a single mailbox:
Get-Mailbox –Identity <mailbox> | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True
Of course, most of us work in larger environments and this would be difficult to run once for each mailbox. There are a couple of approaches you could take to handle this. I will cover two.
- Disable Outlook Anywhere for All Mailboxes and Enable Specific Mailboxes
- Disable Specific Mailboxes
Each method is similar in its application.
Disable Outlook Anywhere for All Mailboxes and Enable Specific Mailboxes:
- If you want to disable it for all users:Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True
- Enable specific mailboxes for Outlook Anywhere:Get-Mailbox –Identity <mailbox> | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$False
Disable Specific Mailboxes
- Create a text file with a list of users you would like to disable, each on a separate line.
- Save the file to a central location (I usually create a “C:scripts” folder on my Exchange servers, so they are easily accessible). (ex. C:ScriptsDisableOAMailboxes.txt).
- Create a script to call the text file, read the mailbox names and change their CAS Mailbox settings:$Mailboxes = Get-Content “C:ScriptsDisableOAMailbox.txt”
Foreach ($Mailbox in $Mailboxes)
{
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$true -Verbose
}