Limit external access to Z-Push



  • Hello, I am wondering how I can limit external access to certain accounts via z-push. All users use outlook with z-push internally, so I cannot switch off mobile access to disable external logins for certain users. Probably I need a combination of IP network and user to do this, perhaps with a proxy? But how does the proxy get the username? Or does anybody have a better way or idea?



  • Hi
    AFAIK there is no real possibility beside creating an allow list on your web server (but then you’ll have to know the IP of your mobile user!!)
    I think only way to get a good result is to create allow list for internal IP’s and let the users who need external Outlook connectivity connect through VPN

    rg
    Christian



  • If member of group “mobile” allow external logins.
    you can do that with ldap groups.

    see: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html


  • Kopano

    Hi @isol,

    Z-Push supports enabled and disabled features of kopano. There are ‘mobile’ and ‘outlook’ features which Z-Push checks on logon. E.g. you could add ‘outlook’ to enabled features list and ‘mobile’ to disabled features list of a user and then he’ll only be able to use Z-Push via Outlook.

    Manfred



  • @manfred: I know that these features exist, but “outlook” in this sense refers to the MAPI connection; we use acitvesync for outlook (as recommended by kopano) and therefore disabling “mobile” would mean cutting off all outlook users (=all users). So this does not help here. What we need is more complicated: we need to check for an external allowance at the webserver level.


  • Kopano

    @isol said in Limit external access to Z-Push:

    but “outlook” in this sense refers to the MAPI connection

    No, that is not true. This refers to Outlook connecting over ActiveSync.



  • Ok, but still the fact holds that I cannot disable “mobile” if all users are Outlook client users (ActiveSync) in the office.
    I will look into the LDAP group approach mentioned, looks like we would just need to modify the Apache z-push configuration. I I succeed I will post the solution here.


  • Kopano

    @isol said in Limit external access to Z-Push:

    but still the fact holds that I cannot disable “mobile” if all users are Outlook client users (ActiveSync) in the office.

    No. You can disable mobile, since for outlook over activesync the flag outlook is evaluated.