Blocking Blackberry BIS from accessing Exchange Web Service (EWS) Part. 2


Hi there,

On the first part of this (sort of) how to, I’ve shown you how to block Blackberry BIS (or any kind of services masquerading as web browser) from accessing Exchange Web Service, or EWS for short. On this one, I’ll be covering how to block BIS using IIS IP Address & Domain Restriction module. This method is preferable if you want to block certain site, or network from accessing your EWS. This method can also be used if you’re planning to provide EWS function on internal network only

First, make sure that IIS IADR module has been installed on the Exchange Server. Open the IIS manager, and see if it’s there.

Is it there?
Is it there?

If you can’t find it, install it by using Server Manager. On Server Manager, go to roles, and scroll to Web Server (IIS). Press the “Add roles” button. Find the IP & Domain Restriction undeer Security, and put a checkmark on it. Press OK.

Add roles..
Add roles..
...under security
…under security

Fire up the IIS Manager, and see if it’s there, If it’s still not there, you might be required to restart your server, or whatever you windows admins do to restart services these days.

Next, on the IIS Manager, expand the Default Website tree, and find the EWS virtual directory. Highlight the EWS, and on the center pane, click on IP Address & Domain Restriction.

The next step depends on what you’re trying to achieve. If you want to block EWS from being accessed by external network, and provide full functionality on internal network, you can allow all traffic from internal network, and deny the rest. Add an Allow filter by pressing “Add Allow Filter” on the actions pane located on the most right of IIS Manager.

Screenshot from 2013-01-28 04:34:27.png
Add an allow filter

Select the IP Address range option, and type in the network addresses of your internal network. This should at least contain the subnets where your clients reside, and subnets of any servers that you allow to access EWS

Next, select “Edit Feature Settings” on the actions pane, select ‘Deny”, and press OK. This way, the only incoming traffics accepted to EWS VD are the traffics originating from the networks that are listed on the Allow filters, thus blocking requests from the internet, including BIS

Deny Any Any
Deny Any Any

Now, if you want EWS to be available for your users on the internet except those that use BIS, you can set a Deny Filter for all BIS server IP Addresses, which are documented here.

And now, all that is left to do is to test the filter, see if it works.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s