Disable external access to ECP in Exchange Server

January 04, 2022 ,

 The Exchange Server 2013 delivery has brought a modest bunch of developments into administrator's stock, among them we can observe another administration console called Exchange Admin Center (EAC). It is there to supplant its archetype, Exchange Management Console (EMC), which upheld administrators in overseeing Exchange 2010 associations. The two control center are really particular, since EMC is a Microsoft Management Console (MMC) type application, and EAC is an electronic administration console which is introduced on Client Access Server (CAS) as a virtual registry on IIS.

EAC is outfitted with Exchange Control Panel (ECP), it is a non-limited web application, available for all intents and purposes from each area in network (LAN, Internet). Any individual who has a substantial username and secret key, may exceptionally sign on to it. It might represent an incredible danger when CAS is introduced in a border network like DMZ and a few programmers utilizing caught passwords might sign on to ECP from the Internet.

Luckily, Microsoft gives us a likelihood to confine admittance to ECP without switching off admittance to OWA. We can do this by essentially following the documentation from Microsoft and attempting the order beneath:

Set-EcpVirtualDirectory -identity "ecp (Default Web Site)" -AdminEnabled $false

As it tends to be found in the screen capture above, assuming we need the progressions to produce quick results we might execute the "iisreset/noforce" command.

iisreset /noforce

Later the execution of the arrangement, each endeavor to arrive at ECP page will end with the "404 – page not found" blunder, or on the other hand the solicitation will be diverted to OWA choices of director account subtleties (see the screen underneath).


Notwithstanding, this arrangement has one downside. Despite the fact that by the execution of this element we effectively limit admittance to ECP from the Internet zone, we lose admittance to ECP from the inner organization. For this situation Microsoft prescribes us to introduce one additional CAS server for inner ECP access as it were. In any case, in my own and expert IT associates' perspective, much better is introduce a second site with ECP and OWA virtual indexes on the web confronted CAS. This is a more affordable and tedious arrangement.

To apply the arrangement, we want to allot a subsequent IP address to our server where CAS is introduced on (most frequently the only one we have). It tends to be effortlessly finished by arranging another IP address on the second organization connector introduced in a CAS server, or by doling out a subsequent IP address on the current organization interface. The primary way is predominantly conveyed by executives in the event of the security strategy consistence reasons, nonetheless, the subsequent way is more straightforward as far as execution and less expensive. The screen underneath shows the last arrangement:

Later the IP address game plan to CAS, we want to make a fitting record in the DNS zone on the DNS server. The name in this record will be utilized to contact the custom ECP virtual index. In addition, this record additionally needs to highlight the IP address arranged one stage before:


In the subsequent stage, we make an envelope for the subsequent site, for example wwwroot2, under C:\Inetpub envelope.

Copy all files and folders from the Default Web Site (C:\inetpub\wwwroot) to (C:\inetpub\wwwroot2). You can skip the following files that can’t be copied:
MacCertification.asmx
MobileDeviceCertification.asmx
decomission.asmx
editissuancelicense.asmx

Copy all files and folders from %ExchangeInstallPath%\FrontEnd\HttpProxy\ecp to C:\inetpub\wwwroot2\ecp.

Copy all files and folders from %ExchangeInstallPath%\FrontEnd\HttpProxy\owa to C:\inetpub\wwwroot2\owa.



At the point when the folder is made, we need to open the Internet Information Services (IIS) Manager and set up the subsequent site, for example "InternalEAC", highlighting the made envelope C:\inetpub\wwwroot2 and bound to TCP/80 (HTTP) and TCP/443 (HTTPS) ports. Screens beneath present the walkthrough interaction.

Above all else, we need to make sure to tie the new site with the new IP address:









In the following step, we need to set up virtual directories for ECP and OWA under the newly created second website. We will approach this by executing the commands below:

New-EcpVirtualDirectory -Server "EX02"-WebSiteName "InternalEAC" -InternalUrl "https://ex02/ecp" -Path "C:\inetpub\wwwroot2\ecp" New-OwaVirtualDirectory -Server "EX02"-WebSiteName "InternalEAC" -InternalUrl "https://ex02/owa" -Path "C:\inetpub\wwwroot2\owa"

After this point, we disable access to EAC using the Microsoft solution mentioned earlier. To do this, we simply run the following commands:

Set-EcpVirtualDirectory -identity "ecp <Default Web Site>" -AdminEnabled $false iisreset /noforce

Maybe you’ll need some times to see result.

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.