Controlling EWS access in Exchange 2010 SP1

Posted on August 12, 2010 by

Another example of a late-breaking change in Exchange 2010 SP1 that causes authors to tear their hair out (if they have any) is the new ability to control access to Exchange Web Services (EWS) on an organization-wide or user-specific basis. Organization-wide access is controlled through the Set-OrganizationConfig cmdlet while the Set-CASMailbox cmdlet controls access on an individual basis.

For example, to block access for a user:

Set-CASMailbox -Identity 'Joe Soap' -EWSEnabled $False

A quick description of the available parameters is shown below:

EWSAllowEntourage Specifies whether to allow or disallow Entourage 2008 for Mac, Web Services Edition to access Exchange Web Services for the user. Note that Entourage 2008 uses EWS exclusively, so this parameter can be used to block Entourage 2008.
EWSAllowList Specifies the applications  as identified by user agent strings that can access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set  to EnforceAllowList.
EWSAllowMacOutlook Specifies whether to allow or disallow Outlook for Mac to access Exchange using EWS. Future versions of Outlook for Mac will use EWS exclusively.
EWSAllowOutlook Specifies whether to allow or disallow Outlook 2007 to access Exchange Web Services for the user. Outlook uses Exchange Web Services for free/busy, OOF, and calendar sharing.
EWSApplicationAccessPolicy Specifies which applications other than Entourage, Outlook for Mac 2011 and Outlook can access Exchange Web Services. If set  to EnforceAllowList, only applications specified in the EWSAllowList parameter are allowed access to Exchange Web Services. If set to EnforceBlockList, every application is allowed access to Exchange Web Services except the ones specified in the EwsBlockList parameter.
EWSBlockList Specifies the applications (user agent strings) that can’t access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set to EnforceBlockList.
EWSEnabled Specifies whether to globally enable or disable Exchange Web Services access for a user, regardless of which application is making the request.

When the EWSEnabled parameter is set to $false, Exchange Web Services access is turned off regardless of the values of the EWSAllowEntourage parameter.

For example, you could set organization access up so that EWS is only enabled for Outlook, Entourage, and a user agent that presents the string “OurGreatApp”:

Set-OrganizationConfig –EWSEnabled $True –EWSAllowOutlook $True -EWSAllowEntourage $True   –EWSApplicationAccessPolicy: EnforceAllowList
–EWSAllowList: {“OurGreatApp*”}

SP1 does not expose any UI in EMC or ECP to control EWS access. This may appear in a future service pack for Exchange 2010, or then again, it might not… Now the question is whether I can fit this information into the book or is it just too esoteric to make me want to omit it, given that space is tight anyway…

- Tony

Learn lots more about how to control Exchange 2010 clients in my Microsoft Exchange Server 2010 Inside Out book!

Other information (24 March 2011) from a correspondent who was struggling with EWS access. He writes:

It was a new consultant who found this document (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022), followed it from page 8 onward, and recreated three publishing rules in TMG2010 (and also changed something related to authentication under ”Client Access Server” in Exchange). After that, it looks like everything works, including Outlook 2011 for Mac from outside the office, setting Out of Office replies via iPhone (even reliable Scheduling Assistant and Mail Tips when using Outlook Anywhere in Outlook 2010 for PC!).

We also needed forms based authentication (I think) to work for our OWA since some people need to be able to change their expired passwords via the Web. That was not working earlier, either.

About Tony Redmond ("Thoughts of an Idle Mind")

Exchange MVP, author, and rugby referee
This entry was posted in Exchange, Exchange 2010 and tagged , . Bookmark the permalink.

8 Responses to Controlling EWS access in Exchange 2010 SP1

  1. Jonas says:
    March 1, 2011 at 9:57 pm

    Dear Tony:
    Thanks for the informative article.
    We are at an impasse with EWS. No one seems to know anything about this technology. Even the most renowned Exchange and security experts cannot get EWS to work correctly and there is no proper documentation anywhere (which leaves us scavenging the web for snippets like this article). We are behind a TMG 2010 firewall, I might add, but the whole OA service–which should include EW, I believe–is published in it.
    We need help and we need it now. Can you, or can you refer us to someone who can?
    We are located in Sweden but I suppose it could be done online.
    Please, help!

    Reply
  2. David Menegat says:
    May 16, 2011 at 6:44 pm

    I am in the same predicament. I have even bought some of the video trainings like trainsignal on the subject and really need to use this. You would think there would be something out there. I can’t get any of my programs that I want to send me status updates and emergency messages to work with it and the code snippets I have found have no contextual elaboration so I am really fustrated since my sever just went down and if ews was working I would have gotten notified two days before my whole company ended up without email. This really sux.

    Reply
  3. Miguel Palacios (@mspalacios) says:
    January 13, 2012 at 6:04 pm

    I am looking for a way to disable EWS access for Mac Outlook 2011 from external (via TMG). If I shutdown EWS for all Outlook 2011, we disable that internally, which is not good. I can’t just shutdown EWS all together, we have our Windows clients requiring this. Looking for suggestions on how to accomplish this, appreciate any direction.

    Reply
  4. Todd S. says:
    April 20, 2012 at 10:25 pm

    I want to disable Apple Mail or Mac Mail client from connecting to Exchange 2010. If our policy doesn’t allow Outlook Anywhewre for Windows clients, why would we allow non-domain joined personal Macintosh computers to bypass the policy and connect to Exchange. Does the -EWSAllowEntourage $False or -EWSAllowMacOutlook $False commands block Mac Mail clients? In my testing it has not. I can’t turn off EWS alltogether since I need Outlook, ActiveSync, OOF and Free/Busy, and Calendar Sharing to work. I’m a novice at PowerShell, so please help me with a script to turn off Mac Mail for the organization. Thanks.

    Reply
    • Tony Redmond ("Thoughts of an Idle Mind") says:
      April 20, 2012 at 10:40 pm

      I don’t think Apple Mail or Mac Mail use Exchange Web Services to connect to Exchange. AFAIK, only Outlook 2011 for Mac and Entourage for Mac (EWS edition) use Exchange Web Services. However, I am not an Apple Mail expert by any means and suggest that you need to do some research elsewhere. Maybe they connect using POP3 or IMAP4, in which case you can disable these protocols or selectively disable them on a user by user basis.

      TR

      Reply
  5. bserebin says:
    April 25, 2012 at 4:04 pm

    Actually, Apple Mail (5.2 [on 10.7.3] & 4.5 [on 10.6.8]) uses EWS. You can easily see this in the IIS CAS logs. Outside of throttling down EWS for the default policy and then opt-in users to a more lenient policy, I’m not aware of another option…. yet for Exchange 2010 SP1.

    Reply
  6. Adam says:
    May 14, 2012 at 1:33 pm

    We are having issues getting Mac Mail 5.2 to work correctly. Mac Mail 4.2 works fine, Outlook 2011 fine, but Mac Mail 5.2 – Not a chance. Anyone successfully published MAc mail 5.2?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s