MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2016: Deny External Access to EAC

Security has been the key with this growing cyber-attack world. So my customer asked to block external ECP access. Here is how we implemented this.

We have following options and my views on it.

  • Block at the url https://url/ECP at the Firewall or Load Balancer level

This sounds a good option except not every firewall or load balancer do it. We also need to involve network team.

  • Block the AdminEnabled in the ECP Virtual Directory property.

This is new feature but this block internal access as well. So not a nice option. The following cmdlet can be used to apply this.

Set-ECPVirtualDirectory -Identity “Servername\ecp (default web site)” -AdminEnabled $false

  • Block the AdminEnabled in the ECP Virtual Directory property with new server which will be used for ECP access.

Adding another server which will use some hardware resources in virtualized setup or a new hardware server + Windows and Exchange License cost to access ECP is never a recommendation. At the same time, it gives you full isolation.

  • Remove External URL on the ECP Virtual Directory

Removing Externalurl does not stop the external access unless we also block OWA. So this is not an option.

  • Allow only LAN IP Address range on the ECP Virtual Directory from IIS Manager.

Allow only the LAN IP address range sounds a reasonable option to me. Here is how we configure this.

Step 1. Login to your Exchange server and Open IIS Manager

Step 2. Browse down to “Default Web Site” à ECP


Step 3. Double click on “IP Address and Domain Restrictions”


Step 4. Click on “Add Allow Entry”


Step 5. Add IP or Range then click Ok


It is not done yet. So have some patience

Step 6. Click on “Edit Feature Settings”


Step 7. In “Access for Unspecified clients” Select Deny and in “Deny Action Type” we can “Not Found” or any other option.


Step 8. Do the IIS reset.

Now we are done. Only the assigned IP Range users can see it.

 

Are you concerned if your users can still access options which used to take the user to /ecp vdir to get the out of office and other options?

                  This has changed in Exchange 2016. In Exchange 2016 Options will use the following url and not https://url/ECP

                  So if you are on Exchange 2013 then do not follow this blog until you see the users option url change in Exchange 2013.

                   In Exchange 2016 Options will take us to the following url.

                         https://mail.domain.com/owa/#path=/options/mail

 

Prabhat Nigam

Microsoft MVP | Office Servers and Services

Team@MSExchangeGuru


10 Responses to “Exchange 2016: Deny External Access to EAC”

  1. Gordon Fecyk Says:

    > Block at the url https://url/ECP at the Firewall or Load Balancer level
    > This sounds a good option except not every firewall or load balancer do it. We also need to involve network team

    In an environment where the network team is also the e-mail team, is this a better option? I can choose to not publish /ecp/ externally.

  2. Prabhat Nigam Says:

    Yes.
    you should be able to block the connections coming with the headers with /ecp on your firewall. At the same time, IP-based blocking is safe as well.

  3. Harsha Perera Says:

    This works for OWA as well right?

  4. Prabhat Nigam Says:

    Yes, it should

  5. Eric Says:

    Do these same steps for restricting the ECP website by IP also apply to Exchange 2013?

  6. Prabhat Nigam Says:

    No.

  7. limws Says:

    Would the Set-ECPVirtualDirectory -Identity “Servername\ecp (default web site)” -AdminEnabled $false in exchange 2013 disable the user access into option? Thx

  8. Prabhat Nigam Says:

    I would suggest to try the option in the lab or even in production. You can always revert back. Overall few minutes task.

  9. Nejc Says:

    Please let me know if I can restrict ECP to domain admin (Exchange Administrator) and not for domain users. Domain user access to ECP is not harmful. Thank you in advance and best regards

  10. Prabhat Nigam Says:

    This is for E2016 where domain users do not require ECP.

Leave a Reply

Categories

Archives

MSExchangeGuru.com