none
How to disable external access of exchange 2013 ECP RRS feed

  • Question

  • Hi

    Recently i migrated Exchange 2010 to exchange 2013. Still its in co-exsistence phase.

    I dont want to expose my ECP site to external network. How to disable ECP access from external.

    I tried IP domain and restrictions, its working by not allowing to login.. one more problem with IP domain and restrictions is in owa options(Autoreply) things and all not working...

    Please suggest recommended way to disable the ECP external access.

    Saturday, February 14, 2015 5:36 AM

Answers

  • Also take a look at:

    http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

    With Exchange 2013 there’s one new reason to add to the list, separation of the client facing ECP settings pages, and the Exchange Administration Console (EAC) settings pages. Both of these are served by the ECP virtual directory, which is somewhat confusing I’ll admit. Basically the code behind the ECP virtual directory serves up either the personal ECP pages or the administrators EAC pages based upon on the credentials of the user logging in. Of course this means if you allow access to /ECP from the Internet (which you need to for OWA or Outlook users to go to ECP) you also allow someone with administrative credentials to log into EAC. Some customers don’t like this.

    So to summarize, the only reasons for which you might feel the need to create multiple OWA and ECP virtual directories:

    • Separating admin/user ECP access. 
    • Or scenario number 3 as described earlier, because you have different policies or settings, or authentication requirements


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.


    Saturday, February 14, 2015 12:59 PM
    Moderator

All replies

  • Have you tried the following cmdlet?

    Set-ECPVirtualDirectory -Identity "CAS01\ecp (default web site)" -AdminEnabled $false

    More info here: https://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx


    Regards from Visit ExchangeOnline | Visit WindowsAdmin

    Saturday, February 14, 2015 7:03 AM
  • By disabling this way, it will disable ecp internal also right..

    How i can manage my exchange..  after that i have to go to each and everything to powershell...

    Is there any way i can restrict only externally not internally..

    Saturday, February 14, 2015 7:52 AM
  • In this case, I can provide you an alternate like as follows:

    • Open 'Server Manager' and Select 'Add roles and features'
    • Select 'Role-based or feature-based installation' > Next
    • Choose the server with IIS installed from the pool > Next
    • Expand the 'Web Server- IIS' Role
      1. 'Web Server > Security 
      2. Make sure 'IP and Domain Restrictions' is checked >
    • Open IIS and select 'IP Address and Domain Restrictions' under the ECP site
    • In the right hand pane, select 'Add Allow Entry'
    1. For this example,  Only hosts in the 192.168.1.0/24 range will be granted access
    2. Click 'OK'
    • Select 'Edit Feature Settings' from the right pane
    1. Set 'Access for unspecified clients' > Deny
    2. Set 'Deny Action Type' > Forbidden

    Do an iisreset and test the system now


    Regards from Visit ExchangeOnline | Visit WindowsAdmin

    Saturday, February 14, 2015 8:26 AM
  • Hi

    I tried this option also.. 

    Problem with option is user not able to use options from OWA(out of office kind of stuff..)

    Saturday, February 14, 2015 9:02 AM
  • Hey Vino,

    How you have published your exchange services like OWA, OA. You may block /ecp at their only.

    Which will make sure that no one will be able to access the ECP from external world.

    Saturday, February 14, 2015 11:43 AM
  • Also take a look at:

    http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

    With Exchange 2013 there’s one new reason to add to the list, separation of the client facing ECP settings pages, and the Exchange Administration Console (EAC) settings pages. Both of these are served by the ECP virtual directory, which is somewhat confusing I’ll admit. Basically the code behind the ECP virtual directory serves up either the personal ECP pages or the administrators EAC pages based upon on the credentials of the user logging in. Of course this means if you allow access to /ECP from the Internet (which you need to for OWA or Outlook users to go to ECP) you also allow someone with administrative credentials to log into EAC. Some customers don’t like this.

    So to summarize, the only reasons for which you might feel the need to create multiple OWA and ECP virtual directories:

    • Separating admin/user ECP access. 
    • Or scenario number 3 as described earlier, because you have different policies or settings, or authentication requirements


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.


    Saturday, February 14, 2015 12:59 PM
    Moderator
  • Hi 

    you can do that with TMG or hardware load balancer


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. My blog:http://msibrahim.wordpress.com/

    Saturday, February 14, 2015 1:29 PM
  • By disabling this way, it will disable ecp internal also right..

    How i can manage my exchange..  after that i have to go to each and everything to powershell...

    Is there any way i can restrict only externally not internally..

    You're right.

    How to manage Exchange?

    1. You can manage everything using EMS. Or

    2. Setup another CAS server. This one should not be exposed to external. You can control this at your HLB/firewall/reverse proxy so that the new CAS can reached only from internal network. Btw, -AdminEnabled should be $true for this CAS.



    • Edited by Li Zhen Saturday, February 14, 2015 3:32 PM
    Saturday, February 14, 2015 3:16 PM
  • Hi,

    Thanks for your response...

    I have one query, By creating multiple virtual directories below things can be acheived or not..

    1) user can access owa with full options like out of office, Change Password etc.

    2)ECP wont available from external, but it will be available internal...

    Saturday, February 14, 2015 5:55 PM