Forum Discussion
Solved
Block Microsoft Exchange Server 2016 Exchange Admin Center (EAC) website from Internet
Hi, As per requirements from our customer to restrict EAC from External network, We have configured Exchange 2016 servers configured with Option 2 using the article below: https://docs.micr...
- I would highly recommend using a reverse proxy between your perimeter firewall and your Exchange server[s]. You can configure the reverse proxy to only pass through OWA traffic and ignore/drop ECP URL requests.
Once this is properly configured, you don't need to go through the hassle of disabling ECP on your Exchange Server or even creating a separate ECP site. (Although if you've already done that work, there's no reason to undo it.) Regardless of your choice, just be sure to set your external ECP URL values to null.
Off the top of my head, two potential solutions for a reverse proxy (I'm sure there are many) might be Citrix ADC (Netscaler) or Traefik. This is essentially what AAP does, but AAP (Azure App Proxy) is running in Azure, whereas your reverse proxy could run on premises.
Dear Abdullah,
I would like to suggest you take a look at a blog I wrote about using Azure App Proxy with Exchange to only allow OWA and/or ECP through the App Proxy.
This will give you the possibility to use SSO and MFA / Conditional Access to limit and secure these components:
https://www.patrickvanbemmelen.nl/securing-using-sso-for-owa-ecp-with-the-azure-app-proxy/
I would like to suggest you take a look at a blog I wrote about using Azure App Proxy with Exchange to only allow OWA and/or ECP through the App Proxy.
This will give you the possibility to use SSO and MFA / Conditional Access to limit and secure these components:
https://www.patrickvanbemmelen.nl/securing-using-sso-for-owa-ecp-with-the-azure-app-proxy/
Hi BemmelenPatrick,
Thanks for your reply and sharing the guide.
Is it AAP Officially supported to publish exchange services?
Also can we leverage Azure App Proxy to publish all Exchange virtual directories such as EWS, ActiveSync and Autodiscover?
I agree that it's good to have AAP to hide OWA and ECP behind AAP to get MFA support, but this leaves the other directories exposed to the public internet and we need to maintain reverse proxies on-premise etc.
Also, the AAP solution would require the customer to sync their Directory to Azure AD which as per customer won't agree for security reasons.
Also the customer is Government UAE based and may consider if Azure AD and Azure AD proxy service is available in UAE. Please correct me, as per my information Azure AD proxy isn't available in UAE region.
Is there any supported alternatives preferably using Exchange to achieve the goal?
Thanks for your reply and sharing the guide.
Is it AAP Officially supported to publish exchange services?
Also can we leverage Azure App Proxy to publish all Exchange virtual directories such as EWS, ActiveSync and Autodiscover?
I agree that it's good to have AAP to hide OWA and ECP behind AAP to get MFA support, but this leaves the other directories exposed to the public internet and we need to maintain reverse proxies on-premise etc.
Also, the AAP solution would require the customer to sync their Directory to Azure AD which as per customer won't agree for security reasons.
Also the customer is Government UAE based and may consider if Azure AD and Azure AD proxy service is available in UAE. Please correct me, as per my information Azure AD proxy isn't available in UAE region.
Is there any supported alternatives preferably using Exchange to achieve the goal?
- I would highly recommend using a reverse proxy between your perimeter firewall and your Exchange server[s]. You can configure the reverse proxy to only pass through OWA traffic and ignore/drop ECP URL requests.
Once this is properly configured, you don't need to go through the hassle of disabling ECP on your Exchange Server or even creating a separate ECP site. (Although if you've already done that work, there's no reason to undo it.) Regardless of your choice, just be sure to set your external ECP URL values to null.
Off the top of my head, two potential solutions for a reverse proxy (I'm sure there are many) might be Citrix ADC (Netscaler) or Traefik. This is essentially what AAP does, but AAP (Azure App Proxy) is running in Azure, whereas your reverse proxy could run on premises.HISamErde
Thanks for your reply and for providing your recommendations. I would then conclude that the only solution for restricting the ECP Login Page access is using the reverse proxy solution to meet the security requirements of the customer.
I have also tested the Client Access Rules on Exchange Server 2019 in my lab to block client access to the EAC but still, it shows the Exchange Admin Center Login page. Also I get the same result when I configured "IP address and Domains Restrictions" Feature in IIS.