Limit external access to Z-Push

Hello, I am wondering how I can limit external access to certain accounts via z-push. All users use outlook with z-push internally, so I cannot switch off mobile access to disable external logins for certain users. Probably I need a combination of IP network and user to do this, perhaps with a proxy? But how does the proxy get the username? Or does anybody have a better way or idea?

Hi
AFAIK there is no real possibility beside creating an allow list on your web server (but then you’ll have to know the IP of your mobile user!!)
I think only way to get a good result is to create allow list for internal IP’s and let the users who need external Outlook connectivity connect through VPN

rg
Christian

If member of group “mobile” allow external logins.
you can do that with ldap groups.

see: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

Hi @isol,

Z-Push supports enabled and disabled features of kopano. There are ‘mobile’ and ‘outlook’ features which Z-Push checks on logon. E.g. you could add ‘outlook’ to enabled features list and ‘mobile’ to disabled features list of a user and then he’ll only be able to use Z-Push via Outlook.

Manfred

@manfred: I know that these features exist, but “outlook” in this sense refers to the MAPI connection; we use acitvesync for outlook (as recommended by kopano) and therefore disabling “mobile” would mean cutting off all outlook users (=all users). So this does not help here. What we need is more complicated: we need to check for an external allowance at the webserver level.

@isol said in Limit external access to Z-Push:

but “outlook” in this sense refers to the MAPI connection

No, that is not true. This refers to Outlook connecting over ActiveSync.

Ok, but still the fact holds that I cannot disable “mobile” if all users are Outlook client users (ActiveSync) in the office.
I will look into the LDAP group approach mentioned, looks like we would just need to modify the Apache z-push configuration. I I succeed I will post the solution here.

@isol said in Limit external access to Z-Push:

but still the fact holds that I cannot disable “mobile” if all users are Outlook client users (ActiveSync) in the office.

No. You can disable mobile, since for outlook over activesync the flag outlook is evaluated.