Disabling Outlook Anywhere for external users in Exchange 2013

I've been exhaustively Googling this issue to no avail, and am at the point where Microsoft's $2000 support quote is actually looking reasonable, but I was hoping maybe someone here would have an idea.

PROBLEM: we would like to disable Exchange access for anyone not on our corporate LAN. The location is a small offshoot of the main branch and has its email hosted locally for security reasons. We don't want anyone outside the building to be able to add their Exchange account to an Outlook install or mobile device or anything like that. We are running Exchange 2013 on Server 2012R2, IIS 8.

We tackled the mobile device thing with Exchange's quarantining function, but no such thing exists for desktop users. I have tried:

• going into the EPC, Servers -> Outlook Anywhere and blanking the Outlook Anywhere external host name/replacing it with something that doesn't resolve – this did absolutely nothing as far as I can tell
• running the Get-Mailbox -MAPIBlockOutlookRpcHttp command on the mailboxes I don't want to have access to Outlook outside of the network. While this used to work on Exchange 2007, in 2013 it disables access for internal users as well
• setting up IP address and domain restrictions on the RPC website in IIS to disallow everything that isn't a local IP – also did absolutely nothing, even when set to deny every single IP range
• blood magic

I feel like this shouldn't be this hard. We're not concerned about external access to OWA, since we have a two-factor appliance in front of it that. Disabling autodiscover won't do either; any requests to authenticate to Exchange from a public IP should be shot down, period.

I know this issue is pretty niche (given that I've found only a few similar incidents on Google), but I'm hoping someone here might be able to figure out what I'm doing wrong. Thanks in advance!