Disabling EWS in Exchange 2010

  • Article

Exchange Web Services (EWS) is a robust API that exposes many Exchange client access features. Many popular clients use this API on many different platforms. What if you want to limit client access via EWS, however? You do have an option. In Exchange 2010, you can use the Set-CASMailbox command to modify EWS access.

Note:    The Set-CASMailbox command in Exchange 2007 does not provide options for limiting EWS access.

The following options that the Set-CASMailbox command exposes enable you to change the settings on a per-user basis:

  • Turn EWS on/off
  • Turn EWS on/off for Outlook, Mac Outlook, and Entourage
  • Turn EWS on/off using allow/block lists for user agent filtering

These options make use of the user agent header to filter access. While useful in many scenarios, user agent filtering has one  inherent disadvantage: User agent strings can easily be written to represent agents on an allowed list, including Outlook, Mac Outlook, and Entourage. Of equal importance is the fact that specific EWS features can’t be blocked. EWS feature access is not segmented to allow access to particular EWS operations — it’s all or nothing. Turning off EWS will affect clients that use the OOF settings, availability, mail tips, and so on. It is important to take this into consideration when planning the client-server interaction part of your system architecture.