Tuesday, 17 July 2012 13:22

How to Restrict/Deny the OWA traffic from Certain IPs or IP Range using Forefront TMG 2010

Written by

Recently I have been asked to set restriction to the OWA traffic from certain IPs/ Range of IPs. This was in test for the control that we can have on our Forefront TMG 2010 firewall policy. This will become useful when you want to block the OWA traffic from certain public IP range. One such situation I feel is to block the unauthorized Blackberry Internet Services (BIS) users of company email. As you know that if the OWA feature is enabled for a user, he can configure his own device with BIS account. To overcome that, you may block the BlackBerry® Internet Service Internet Protocol (IP) ranges listed in this article Firewall and connection requirements for the BlackBerry Internet Service

Now, how do we achieve this on our Forefront Firewall policy? I would say it is easy, I have taken IP range as – in my LAB infrastructure.

I assume that you already have a rule on you Forefront TMG 2010 to publish the Outlook Web App, if you have not done it refer this article –

Publish Exchange 2010 OWA Using Forefront TMG 2010 & Configure OWA Redirection – Part 1

Now let’s see how we configure the restriction on IP range,

  • Open Forefront TMG Console and Locate Firewall Policy in the left pane
  • On your Right hand side, make selection on “Toolbox” (by default the selection will be on Tasks)
  • Now expand the Address Ranges as shown below


  • Right click on it and say “New Address Range” and name it as IP Block List then enter the IP range you want to put restriction on (If you wish to block only 1 IP enter the same IP on both start and end address).


  • Now go back to the “All Firewall Policy” area and select the OWA publishing rule (in my case it is named as Exchange2010 OWA), right click on it and go to Properties.
  • Click on the tab “From” and add the newly created Address Range IP Block List’ to the Exceptions as shown below.


  • Click on Apply and say OK.
  • Apply these changes to TMG configuration by clicking on Apply button on top.

Now you have set restriction to the IP range specified, try accessing the OWA page from machines those are in the IP Block List. You should be receiving the below message in the bottom of the webpage.

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator

Likewise you may add the same IP Block List to any policy that you have created, for e.g. the OWA redirection policy and so on.


theme by reviewshub