none
How to disable access to the Exchange Admin Center from external users but still allowing the external users to access the ECP site. RRS feed

  • Question

  • Hi,

    I guess that subject says it all. I'm trying to figure out how to block external users from accessing the  Exchange Admin Center but still allowing external users to access the ECP. I found some useful documentation on the net but it was not the answer I was looking for, such as:

    1. Using the Powershel cmdlet which disables access from everyone.

    2. Adding the "IP and Domain Restrictions" feature and allowing the company's internal network and denying the rest.  I thought this was the answer but although users are not able to access EAC from the outside they are also not able to access ECP.

    Is there any workaround?

    Thanks,

    Phil

    Wednesday, October 15, 2014 1:41 AM

Answers

  • I'm not sure if this will help out, but take a look at this thread.  Someone was trying to do something similar.

    https://social.technet.microsoft.com/Forums/en-US/a7c838a3-653b-4b98-9bd2-17c46ddcf076/exchange-2013-owa-options?forum=exchangesvrclients

    • Marked as answer by savednotes Tuesday, November 25, 2014 1:59 PM
    Wednesday, October 15, 2014 1:42 PM

All replies

  • Hi ,

    Please have a look in to the below mentioned blog .

    http://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx

    Note : If you disable the ecp by using the below mentioned command it will disable both internal and external ecp access and there is no separate separate switch to control both the ecp access.

    Set-ECPVirtualDirectory -Identity "CAS01\ecp (default web site)" -AdminEnabled $false

    Even though if you wanted to have a ecp access for internal users you need to have a separate cas server to handle internal requests.

    2.As an additional info , In case if you have TMG firewall you can avoid publishing of ECP directory over internet .

    Please feel free to reply me if you have any queries.

    Regards

    S.Nithyanandham


    Thanks S.Nithyanandham

    Wednesday, October 15, 2014 6:27 AM
  • Hi,

    This information is informative. However, it still does not answer my question.  I should have been clearer when I mentioned using the Powershell cmdlet which is the what you touch upon with the helpful link. What I would like to achieve is having users that are outside of the organization be able to access outlook and the exchange control panel but not allowing them to access the exchange admin center.

    I want the ECP directory to be published outside of the organization, because if it's not, users will not be able to control certain features such as setting up their away messages on outlook. I want to know if it's possible to deny access just to the EAC from external users.

     

    Thanks,

    Phil

    Wednesday, October 15, 2014 1:04 PM
  • Hi ,

    Please have a look in to this .

    EAC is now a web-based management console, you’ll need to use the ECP virtual directory URL to access the console from your web browser. In most cases the EAC’s URL will look similar to the following:

    • Internal URL: https://<CASServerName>/ecp   The internal URL is used to access the EAC from within your organization’s firewall.

    • External URL: https://mail.contoso.com/ecp   The external URL is used to access the EAC from outside of your organization’s firewall.

    Note : There is no virtual directory for EAC .If you want to use EAC internally or externally ,you need to use the ecp virtual directory to gain the access.

    Please reply me if you have any queries .

    Regards

    S.Nithyanandham


    Thanks S.Nithyanandham

    Wednesday, October 15, 2014 1:13 PM
  • Hi,

    1. I am aware that the EAC is now a web-based management. I've read the tech-net articles. 

    2. I am also aware of setting the internal and external URL on the ECP directory.

    What I'm asking is blocking access just to the EAC without having to block ECP entirely. I guess it's not possible.

    Thanks,

    Wednesday, October 15, 2014 1:34 PM
  • I'm not sure if this will help out, but take a look at this thread.  Someone was trying to do something similar.

    https://social.technet.microsoft.com/Forums/en-US/a7c838a3-653b-4b98-9bd2-17c46ddcf076/exchange-2013-owa-options?forum=exchangesvrclients

    • Marked as answer by savednotes Tuesday, November 25, 2014 1:59 PM
    Wednesday, October 15, 2014 1:42 PM
  • Hi ,

    As per my knowledge the scenario what you are trying to achieve is not at all possible.

    Regards

    S.Nithyanadham




    Thanks S.Nithyanandham

    • Marked as answer by savednotes Wednesday, October 29, 2014 4:34 PM
    • Unmarked as answer by savednotes Tuesday, November 25, 2014 1:59 PM
    Wednesday, October 15, 2014 1:43 PM
  • This is exactly what I am looking for, I will see if this works in my environment.

    Thanks,

    Wednesday, October 15, 2014 1:49 PM
  • Awesome.  Let us know how it goes.


    Thursday, October 16, 2014 7:52 PM
  • I was wondering, did you ever get the solution you needed? I'm facing the same problem and I get your exact situation.

    This is a poor design by Microsoft.  You should be able to disable access to EAC and allow ecp for users connecting outside your network.

    Wednesday, April 29, 2015 7:09 AM