none
Disabling external access, general users to ECP RRS feed

  • Question

  • I want to disable internet access to ECP.

    Can I simply remove the external URL in the virtual directory to turn off external access?

    How can I turn off access to general users so only a handful of accounts can access the ECP?

    Thanks


    • Edited by Susan_773 Monday, October 28, 2019 3:08 PM
    Monday, October 28, 2019 3:03 PM

Answers

  • Hi Susan_773,

    Disable external ECP will disable it for all external users. If you want remain some users to access ECP from external of your organization, those suggestion may be useful to you:

    1. Do filters on your firewall as Oleg.Kovalenko said. About detail information, you may need to confirm with your network team.

    2. There exist a new function in Exchange 2019, it could limit user could access ECP from specific IP address. You can use Exchange 2019 as internet facing server, then you could set limitation on it: Client Access Rules in Exchange 2019 

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 29, 2019 9:22 AM
    Moderator

All replies

  • Hello.

    What Proxy do you have in Firewall? 

    Can you control list access to public URL on Proxy?

    Another link 

    Configuring Multiple OWA/ECP Virtual Directories on the Exchange 2013 Client Access Server Role

    How to disable external access to ECP in Exchange 2013?


    MCITP, MCSE. Regards, Oleg

    Monday, October 28, 2019 4:10 PM
  • No proxy is setup. What would that setup be and what are the advantages/disadvantages of that setup?

    Removing the external URL won't work or are there disadvantages to doing so?

    I don't want to do something that will lock me out of the internal ECP as well.

    Monday, October 28, 2019 5:59 PM
  • I'm not recommend remove ECP URL.

    Please use Proxy with Firewall for control access external access to Exchange.

    You can use PowerShell for off Admin Access to ECP

    Set-EcpVirtualDirectory -Identity "Server01\ecp (Default Web site)" -AdminEnabled $false

      

    MCITP, MCSE. Regards, Oleg

    Monday, October 28, 2019 6:10 PM
  • Hi Susan_773,

    Disable external ECP will disable it for all external users. If you want remain some users to access ECP from external of your organization, those suggestion may be useful to you:

    1. Do filters on your firewall as Oleg.Kovalenko said. About detail information, you may need to confirm with your network team.

    2. There exist a new function in Exchange 2019, it could limit user could access ECP from specific IP address. You can use Exchange 2019 as internet facing server, then you could set limitation on it: Client Access Rules in Exchange 2019 

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 29, 2019 9:22 AM
    Moderator
  • Thanks for the replies.

    Just in case, could you please include a cmdlet to undo that cmdlet just in case?

    Thanks!

    Saturday, November 2, 2019 3:28 AM
  • Thanks for the replies.

    Just in case, could you please include a cmdlet to undo that cmdlet just in case?

    Thanks!

    You can use "Remove-ClientAccessRule" to remove the rule when you don't want to use it. Please note: Client Access Rule only supported for Exchange 2019 and Exchange online.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 4, 2019 8:20 AM
    Moderator
  • Thanks for the reply.

    I have exchange 2013/2016 coexistence I need a solution for exchange 2013/2016.

    To reverse what Okeg suggested,  would I change false to true?

    Thanks 


    • Edited by Susan_773 Friday, November 8, 2019 5:07 PM
    Friday, November 8, 2019 5:06 PM
  • Hi Susan

    For example, you use Citrix Gateway (NetScaler Gateway) as proxy for access to Exchange.


    MCITP, MCSE. Regards, Oleg

    Friday, November 8, 2019 11:23 PM
  • I don't want anyone to access the ECP from outside of the local network.

    I am looking to reverse Oleg's powershell cmdlet in case I need to.

    Does the cmdlet that Oleg suggested lock only the external ECP and not the interal ECP?

    ECP is tied to OWA. They both have the same internal/external URL and don't want to accidentally lock OWA or the internal ECP. That is why I want to be able to undo it.

    To reverse it, do I just change false to true?

    Thanks.

    Saturday, November 9, 2019 1:32 AM