Hello, I am wondering how I can limit external access to certain accounts via z-push. All users use outlook with z-push internally, so I cannot switch off mobile access to disable external logins for certain users. Probably I need a combination of IP network and user to do this, perhaps with a proxy? But how does the proxy get the username? Or does anybody have a better way or idea?
Limit external access to Z-Push
AFAIK there is no real possibility beside creating an allow list on your web server (but then you’ll have to know the IP of your mobile user!!)
I think only way to get a good result is to create allow list for internal IP’s and let the users who need external Outlook connectivity connect through VPN
If member of group “mobile” allow external logins.
you can do that with ldap groups.
Z-Push supports enabled and disabled features of kopano. There are ‘mobile’ and ‘outlook’ features which Z-Push checks on logon. E.g. you could add ‘outlook’ to enabled features list and ‘mobile’ to disabled features list of a user and then he’ll only be able to use Z-Push via Outlook.
@manfred: I know that these features exist, but “outlook” in this sense refers to the MAPI connection; we use acitvesync for outlook (as recommended by kopano) and therefore disabling “mobile” would mean cutting off all outlook users (=all users). So this does not help here. What we need is more complicated: we need to check for an external allowance at the webserver level.
Ok, but still the fact holds that I cannot disable “mobile” if all users are Outlook client users (ActiveSync) in the office.
I will look into the LDAP group approach mentioned, looks like we would just need to modify the Apache z-push configuration. I I succeed I will post the solution here.