Block MapiOverHttps from external only

Question

We have multiple Exchange 2019 servers that currently still use MapiOverRpc. Connection from the internet (Mapi, ActiveSync, Owa) is through the Reverse Proxy funcitonality of a Sophos UTM gateway ("Web Application Firewall").

We now would like to switch to MapiOverHttps. The problem is that we would still like to use NTLM/Kerbersos as authentication mehtod, but our reverse proxy cannot forward these methods, only "Basic authentication". If we enable this, all users, internal and external, are asked to enter the password everytime they open outlook. The MAPI Virtual Directory is the only one where I cannot set different authentication methods for the internal and external access.

My question: is there any way to use MapiOverHttps internaly, and OutlookAnywhere for external connections? Or a way to use MapiOverHttps with Basic authentication for external access and NTLM/Kerberos for internal access?

I already tried to just block the /mapi url on the reverse proxy, hoping that this will then fall back to OutlookAnywhere. This did not work, Outlook did just not connect.

Answer 1

Based on my knowledge, you could not configure MapiOverHttps internaly, and OutlookAnywhere for external connections. Detailed information in the below screenshot and the blog for your reference.

And we cannot configure external or internal authentication for MAPI virtual directory, we only can enable Basic or other authentication by Set-MAPIVirtualDirectory with IISAuthenticationMethods parameter. Refer to the similar thread: How to set MAPI/HTTP internal and external authentication differently