Disable external access to ECP in Exchange Server
The Exchange Server 2013 delivery has brought a modest bunch of developments into administrator's stock, among them we can observe another administration console called Exchange Admin Center (EAC). It is there to supplant its archetype, Exchange Management Console (EMC), which upheld administrators in overseeing Exchange 2010 associations. The two control center are really particular, since EMC is a Microsoft Management Console (MMC) type application, and EAC is an electronic administration console which is introduced on Client Access Server (CAS) as a virtual registry on IIS.
EAC is outfitted with Exchange Control Panel (ECP), it is a non-limited web application, available for all intents and purposes from each area in network (LAN, Internet). Any individual who has a substantial username and secret key, may exceptionally sign on to it. It might represent an incredible danger when CAS is introduced in a border network like DMZ and a few programmers utilizing caught passwords might sign on to ECP from the Internet.Luckily, Microsoft gives us a likelihood to confine admittance to ECP without switching off admittance to OWA. We can do this by essentially following the documentation from Microsoft and attempting the order beneath:
Set-EcpVirtualDirectory -identity "ecp (Default Web Site)" -AdminEnabled $false
As it tends to be found in the screen capture above, assuming we need the progressions to produce quick results we might execute the "iisreset/noforce" command.
iisreset /noforce
Later the execution of the arrangement, each endeavor to arrive at ECP page will end with the "404 – page not found" blunder, or on the other hand the solicitation will be diverted to OWA choices of director account subtleties (see the screen underneath).
Notwithstanding, this arrangement has one downside. Despite the fact that by the execution of this element we effectively limit admittance to ECP from the Internet zone, we lose admittance to ECP from the inner organization. For this situation Microsoft prescribes us to introduce one additional CAS server for inner ECP access as it were. In any case, in my own and expert IT associates' perspective, much better is introduce a second site with ECP and OWA virtual indexes on the web confronted CAS. This is a more affordable and tedious arrangement.
To apply the arrangement, we want to allot a subsequent IP address to our server where CAS is introduced on (most frequently the only one we have). It tends to be effortlessly finished by arranging another IP address on the second organization connector introduced in a CAS server, or by doling out a subsequent IP address on the current organization interface. The primary way is predominantly conveyed by executives in the event of the security strategy consistence reasons, nonetheless, the subsequent way is more straightforward as far as execution and less expensive. The screen underneath shows the last arrangement:
Later the IP address game plan to CAS, we want to make a fitting record in the DNS zone on the DNS server. The name in this record will be utilized to contact the custom ECP virtual index. In addition, this record additionally needs to highlight the IP address arranged one stage before:MacCertification.asmx
MobileDeviceCertification.asmx
decomission.asmx
editissuancelicense.asmx
Copy all files and folders from %ExchangeInstallPath%\FrontEnd\HttpProxy\ecp to C:\inetpub\wwwroot2\ecp.
Copy all files and folders from %ExchangeInstallPath%\FrontEnd\HttpProxy\owa to C:\inetpub\wwwroot2\owa.
Post a Comment