Is there a way to limit access (by IP-address) to the different interfaces of Zimbra?

IE - we might want to allow access to Active Sync-clients from everywhere (with a strict policy for passwords, pin-codes and so on) but allow webmail access only from trusted networks.

Since both webmail and active sync is running on port 443, firewall might not be an option?
Or is it possible to set a different port for either of these?

Or is there some kind of ".htaccess" that could be added somewhere to limit access?