Recently working on a deployment, I came across an unusual request to allow the attachments to be viewed, but the users should not be able to download the attachments anywhere on their machines when accessing from the untrusted (non-domain joined machines) machines.
We have number of articles which describes how to block download and create UAG endpoint policies which can block specific attachment, but couldn’t find anything related to what I was asked to do. For completing the task, we did the following;
- Followed the article http://blogs.technet.com/b/exchange/archive/2007/03/23/3401668.aspx to enable the Web Ready Viewing of the documents in the browser.
- Then, on the UAG, publish the Exchange OWA 2007 as described at http://technet.microsoft.com/en-us/library/ee921443.aspx
- Then go to Advanced Trunk Configuration > Global URL Sets > click Download URLs and change the WebReadyView.aspx URL as shown below.
What this does is that, it removes the WebReadyView.aspx URL from “Download URLs” and UAG will not apply any download restriction policy on this URL. This will allow users to open the attachments in the web browser. Next, we will create the policy to determine the machines as trusted vs. untrusted. This can be another blog post in itself, but to keep it short and simple, we are using the “Network_Domains_DNS” expression to determine whether the machine is domain joined or not.
- To create the policy, follow the steps at http://blogs.technet.com/b/edgeaccessblog/archive/2010/11/08/creating-a-policy-for-a-corporate-machine.aspx
- You may also create your own policy using the expression “Network_Domains_DNS” or “Network_Domains_NetBIOS” as shown in the below snapshot.
-
Now, we need to define this policy to be evaluated when users access the OWA application. To do so, go to the OWA application properties > Endpoint Policy Settings > Change the “Download Policy ” to what you created in the previous step .
-
Activate the configuration
Cheers !!!
Inderjeet 