Dear TMG comunity,
I have folowing situation:
- 1xTMG Single NIC, Domain Member, Located in Main office
- OWA, Outlook Anywhere, Autodiscover published, SSL cert
- many small branch offices across the country accessing the OWA via specific blue coat proxy
Current OWA rule:
Allow, From Anywhere, HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, All Users
This allows anyone with AD account to access and use OWA from anywhere. Now there is a request to limit this as follows:
1. Branch users may access OWA only from branch networks (on TMG it commes as from one IP - blue coat proxy - easy to detect)
2. Main office users may access OWA from anywhere - even branch office networks
I created "Branch users" group in AD and TMG and "Branch networks" object in TMG. I plan to create a rule and place it before existing OWA allow rule as follows:
Deny, From Anywhere Except "Branch Networks", HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, "Branch Users".
Will this prevent "Branch Users" from accessing OWA from other networks and let them use it from "Branch Networks" ?
Will all the other users hit the old Allow rule and be able to access OWA from any network?
Will it be necessary to turn on the "Require all users to authenticate" options in the HTTPS Listener?
Any idea how to make this most efficiently?
Thanks
I have folowing situation:
- 1xTMG Single NIC, Domain Member, Located in Main office
- OWA, Outlook Anywhere, Autodiscover published, SSL cert
- many small branch offices across the country accessing the OWA via specific blue coat proxy
Current OWA rule:
Allow, From Anywhere, HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, All Users
This allows anyone with AD account to access and use OWA from anywhere. Now there is a request to limit this as follows:
1. Branch users may access OWA only from branch networks (on TMG it commes as from one IP - blue coat proxy - easy to detect)
2. Main office users may access OWA from anywhere - even branch office networks
I created "Branch users" group in AD and TMG and "Branch networks" object in TMG. I plan to create a rule and place it before existing OWA allow rule as follows:
Deny, From Anywhere Except "Branch Networks", HTTPSListener - HTML Form Auth, Windows (AD), No Delegetation, but client may auth.directly, "Branch Users".
Will this prevent "Branch Users" from accessing OWA from other networks and let them use it from "Branch Networks" ?
Will all the other users hit the old Allow rule and be able to access OWA from any network?
Will it be necessary to turn on the "Require all users to authenticate" options in the HTTPS Listener?
Any idea how to make this most efficiently?
Thanks