Exchange 2016: Deny External Access to EAC

Exchange 2016: Deny External Access to EAC

 

Security has been the key with this growing cyber-attack world. So my customer asked to block external ECP access. Here is how we implemented this.

We have following options and my views on it.

• Block at the url https://url/ECP at the Firewall or Load Balancer level
  

This sounds a good option except not every firewall or load balancer do it. We also need to involve network team.

• Block the AdminEnabled in the ECP Virtual Directory property.
  

This is new feature but this block internal access as well. So not a nice option. The following cmdlet can be used to apply this.

Set-ECPVirtualDirectory -Identity “Servername\ecp (default web site)” -AdminEnabled $false

 

• Block the AdminEnabled in the ECP Virtual Directory property with new server which will be used for ECP access.
  

Adding another server which will use some hardware resources in virtualized setup or a new hardware server + Windows and Exchange License cost to access ECP is never a recommendation. At the same time, it gives you full isolation.

• Remove External URL on the ECP Virtual Directory
  

Removing Externalurl does not stop the external access unless we also block OWA. So this is not an option.

• Allow only LAN IP Address range on the ECP Virtual Directory from IIS Manager.
  

Allow only the LAN IP address range sounds a reasonable option to me. Here is how we configure this.

Step 1. Login to your Exchange server and Open IIS Manager

Step 2. Browse down to “Default Web Site” à ECP

 

Step 3. Double click on “IP Address and Domain Restrictions”

 

Step 4. Click on “Add Allow Entry”

 

Step 5. Add IP or Range then click Ok

 

It is not done yet. So have some patience

Step 6. Click on “Edit Feature Settings”

 

Step 7. In “Access for Unspecified clients” Select Deny and in “Deny Action Type” we can “Not Found” or any other option.

 

Step 8. Do the IIS reset.

Now we are done. Only the assigned IP Range users can see it.

 

Are you concerned if your users can still access options which used to take the user to /ecp vdir to get the out of office and other options?

This has changed in Exchange 2016. In Exchange 2016 Options will use the following url and not https://url/ECP

So if you are on Exchange 2013 then do not follow this blog until you see the users option url change in Exchange 2013.

In Exchange 2016 Options will take us to the following url.

https://mail.domain.com/owa/#path=/options/mail