Recently I have been asked to set restriction to the OWA traffic from certain IPs/ Range of IPs. This was in test for the control that we can have on our Forefront TMG 2010 firewall policy. This will become useful when you want to block the OWA traffic from certain public IP range. One such situation I feel is to block the unauthorized Blackberry Internet Services (BIS) users of company email. As you know that if the OWA feature is enabled for a user, he can configure his own device with BIS account. To overcome that, you may block the BlackBerry® Internet Service Internet Protocol (IP) ranges listed in this article Firewall and connection requirements for the BlackBerry Internet Service
Now, how do we achieve this on our Forefront Firewall policy? I would say it is easy, I have taken IP range as 10.10.10.11 – 10.10.10.19 in my LAB infrastructure.
I assume that you already have a rule on you Forefront TMG 2010 to publish the Outlook Web App, if you have not done it refer this article –
Now let’s see how we configure the restriction on IP range,
Now you have set restriction to the IP range specified, try accessing the OWA page from machines those are in the IP Block List. You should be receiving the below message in the bottom of the webpage.
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator
Likewise you may add the same IP Block List to any policy that you have created, for e.g. the OWA redirection policy and so on.