Outlook Anywhere -- also referred to as RPC over HTTP -- is the default way all Outlook clients connect to their...
mailboxes on Exchange Server 2013.
Exchange Server 2013 does not provide a way to selectively disable external access to Outlook Anywhere and still allow it internally. However, it is not an unreasonable request to want all your users to leverage Outlook Anywhere internally while preventing some users from connecting to it from outside the corporate network.
If you only need to prevent some users from using Outlook Anywhere, then you could simply configure Outlook Anywhere as disabled for those users. The following command would disable Outlook Anywhere for all the users' mailboxes in a specific organizational unit in Active Directory:
Get-Mailbox –OrganizationalUnit "OrganizationUnitName" | Set-CASMailbox " -MAPIBlockOutlookRPCHttp $True
This is only a partial resolution -- it would block Outlook Anywhere internally and externally for those restricted users.
Another partial answer, if you use a reverse proxy, is to block the path to the RPC directory for external users. This is a bit more complex; it may require you to configure a namespace for Outlook Anywhere separate from the other published services. Then, use reverse proxy settings to block or deny Outlook Anywhere connection attempts.
To view the current Outlook Anywhere internal and external hostnames, run the following command in the Exchange Management Shell:
Get-OutlookAnywhere | Format-List server, *hostname
This workaround allows all clients to use Outlook Anywhere internally, but also falls short because it blocks all users externally.
Some other options to investigate include using a pre-authentication tool like Unified Access Gateway or Web Application Proxy, or implementing a certificate authentication tool where specific groups of users are not allowed external access.
Set-CASMailbox –Identity MailboxIdParameter –MAPIBlockOutlookExternalConnectivity $True
When this is enabled, external Outlook clients cannot use Outlook Anywhere or MAPI over HTTP. This option is fully supported and easier to configure than the workarounds. Perhaps this will be a key driver for you to upgrade to Exchange Server 2016.
In the meantime, understand the risk of using the workarounds in your Exchange Server 2013 organization. They could have less than desired or even unpredictable results on other aspects of client connectivity and functionality. If you plan to configure Outlook Anywhere for external use, be cautious and test any changes in a nonproduction environment before making any changes in production.
What happens when Outlook Anywhere won't connect?
How to identify problems with Outlook Anywhere
How Outlook Autodiscover runs in hybrid scenarios
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
Exchange Server transaction logs have filled up my hard drive. How do I free up space taken by these logs? And can I prevent it from happening again? Continue Reading