Remove From My Forums

Exchange 2013 OWA Options

Question
0

Sign in to vote

Hi,

In our organization, we restricted the access to the exchange admin console directory (/ecp) to internal network only.

Now, some of our users say that when accessing the "Options" in OWA from outside our network they get a forbidden access page.

I realized it makes sense that the page is blocked because when I go to Options in OWA the URL redirects to "/ecp/?rfr=owa" and from what I mentioned above I restricted the "/ecp" to internal network only.

Now, how do I work around this? I want to keep the restriction to the EAC but also let my users access the Options menu in OWA from outside our network.

Thanks in advance!

Monday, October 13, 2014 10:00 AM

Answers

1

Sign in to vote
Yes, the first thing the code does is check for the existence of the querystring variable rfr = "owa". If it's there (i.e. the request is a redirect to /ecp/ from OWA), then all access is permitted. If it's not there, then a check is made for the users IP address. If it doesn't begin with 192.168.1.10, then access is denied.

What is it doing now, with the code added? Does it still allow everyone in? Or block everyone out?

Try this little alteration, and look at the page source in IE to make sure that you see the rfr an IP value within HTML comment tags.

<% string strSource = Request.QueryString["rfr"]; string strIP = Request.ServerVariables["REMOTE_ADDR"];
Response.Write("");
Response.Write("");
if(strSource != "owa") { if(strIP.Substring(0, 10) != "192.168.10") { Response.Write("ECP not allowed from this location"); Response.End(); } } %>

OWA For SmartPhone
- Marked as answer by Simon_WuMicrosoft contingent staff Wednesday, October 15, 2014 1:26 AM
Tuesday, October 14, 2014 1:23 PM

All replies

0

Sign in to vote

hi please check this. ECP you can disable and keeping OWA open

http://theucguy.net/turn-off-internet-access-to-exchange-2013-eac/

http://www.expta.com/2013/09/how-to-block-owa-2010-and-2013-for.html
Mark as useful or answered if my replies helped you solving your query.
Thanks, Happiness Always
Jatin
Skype: jatider2jatin, Email: jatinder2jatin@yahoo.ca

Monday, October 13, 2014 11:25 AM
0

Sign in to vote

Hi,

The first link disables the EAC entirely, which I don't want.

The second link blocks access to all external users.

I wonder if you understood my question properly, sorry but my issue is different from your suggestions.

But thanks anyway! :)

Monday, October 13, 2014 2:36 PM
0

Sign in to vote
Hi,

As per my knowledge owa user's will be redirected to ECP page when they try to perform actions like reset password ,automatic replies and manage apps.

Most importantly if we go to options in owa page it will get redirected to ECP.

I hope all of the above is by design in exchange 2013. So if you block ecp access for the external users you cannot able to perform the above actions from external owa users.

Note : ECP block is common for all external users .Unfortunately we don't have any option to block for an individual user.

Please reply me if you have any queries .

Regards

S.Nithyanandham

Thanks S.Nithyanandham
- Edited by Nithyanandham Singaravadivelu Monday, October 13, 2014 2:53 PM missed some info.
Monday, October 13, 2014 2:51 PM
0

Sign in to vote
I don't expect there's anything built-in, but I have this for E2010. E2013 should (hopefully) be similar.

http://blog.leederbyshire.com/2014/10/13/how-to-restrict-ms-exchange-ecp-to-internal-addresses-but-allow-owa-users-to-access-it/
OWA For SmartPhone
- Proposed as answer by jim-xu Wednesday, October 15, 2014 12:14 AM
Tuesday, October 14, 2014 9:15 AM
0

Sign in to vote

Hi KMTayan

Thank you for your question.

By my knowledge, your goal cannot achieve ,you cannot disable ECP for Specific user.

If you disable for Internet, it will be affect all users. If you disable by user alias, it will not work for you internal network.

If any questions, please let me know.

Best Regard,

Jim Xu

Tuesday, October 14, 2014 10:16 AM

I tried the code and edited it as below:

<%
string strSource = Request.QueryString["rfr"];
if(strSource != "owa")
{
string strIP = Request.ServerVariables["REMOTE_ADDR"];
if(strIP.Substring(0, 8) != "192.168.10")
{
Response.Write("ECP not allowed from this location");
Response.End();
}
}
%>

Then I reset IIS. Unfortunately it did not work.

Did I miss something?

Tuesday, October 14, 2014 10:21 AM

0

Sign in to vote

There's a problem here

if(strIP.Substring(0, 8) != "192.168.10")

will never be satisfied because you are comparing a string of length 8 with one of 10. Try

if(strIP.Substring(0, 10) != "192.168.10")

OWA For SmartPhone

Tuesday, October 14, 2014 10:43 AM
0

Sign in to vote

Hi Lee, sorry! I need to allow users who are accessing owa options from outside our network.

So I guess I need to allow any IP to access "/ecp/?rfr=owa".

Does that make sense?

Tuesday, October 14, 2014 12:56 PM
0

Sign in to vote
The "Options" menu in OWA is ECP, so restated your question is "How do I get ECP to both work and not work from the internet".

When stated like that, the answer becomes pretty clear; you don't.
- Proposed as answer by Nathan O'BryanMVP Tuesday, October 14, 2014 1:02 PM
Tuesday, October 14, 2014 1:02 PM
1

Sign in to vote
Yes, the first thing the code does is check for the existence of the querystring variable rfr = "owa". If it's there (i.e. the request is a redirect to /ecp/ from OWA), then all access is permitted. If it's not there, then a check is made for the users IP address. If it doesn't begin with 192.168.1.10, then access is denied.

What is it doing now, with the code added? Does it still allow everyone in? Or block everyone out?

Try this little alteration, and look at the page source in IE to make sure that you see the rfr an IP value within HTML comment tags.

<% string strSource = Request.QueryString["rfr"]; string strIP = Request.ServerVariables["REMOTE_ADDR"];
Response.Write("");
Response.Write("");
if(strSource != "owa") { if(strIP.Substring(0, 10) != "192.168.10") { Response.Write("ECP not allowed from this location"); Response.End(); } } %>

OWA For SmartPhone
- Marked as answer by Simon_WuMicrosoft contingent staff Wednesday, October 15, 2014 1:26 AM
Tuesday, October 14, 2014 1:23 PM
0

Sign in to vote
Hi Lee,

Thanks I get it now.

So I pasted the code within the head tag and then restarted IIS.

When I access OWA and click "Options" it goes to "/owa/auth/logon.aspx" instead of "/ecp/?rfr=owa".

Any ideas why this is happening?
Do I need to configure the IP address restriction for ecp to allow any IP or just leave it blank?
- Edited by KMTayan Tuesday, October 14, 2014 2:35 PM
Tuesday, October 14, 2014 1:59 PM
0

Sign in to vote

Only thing I can think is that maybe you edited the file on another PC, and now the permissions are different (hence the re-logon). Can you find the IIS log entries for the attempt to access /ECP/ with parameter rfr=owa
OWA For SmartPhone

Tuesday, October 14, 2014 2:35 PM
0

Sign in to vote

Hi Lee,

It worked when I configured the ecp IP Address restrictions to allow any ip (0.0.0.0/0).

Now it's working thanks.

2 further questions, how can I add another IP range on the code (i.e. "192.168.10" and "192.168.20"). And since this is a workaround (or hack) is there any security risk?

Thanks in advance!

Tuesday, October 14, 2014 4:11 PM
0

Sign in to vote

Oh, right. Maybe you already had something in there that conflicted.

For two IP ranges, try (should all be one line, but might get wrapped here)

if((strIP.Substring(0, 10) != "192.168.10") && (strIP.Substring(0, 10) != "192.168.20"))

The only security risk is that someone will find a way around it. I'd suggest going into ECP from within OWA, and see if you can find a way to get to the functions you are trying to block, using the on-screen links.
OWA For SmartPhone

Tuesday, October 14, 2014 7:45 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Exchange 2013 OWA Options

Question

Answers

All replies