Forum Discussion
Solved
Block Microsoft Exchange Server 2016 Exchange Admin Center (EAC) website from Internet
Hi, As per requirements from our customer to restrict EAC from External network, We have configured Exchange 2016 servers configured with Option 2 using the article below: https://docs.micr...
- I would highly recommend using a reverse proxy between your perimeter firewall and your Exchange server[s]. You can configure the reverse proxy to only pass through OWA traffic and ignore/drop ECP URL requests.
Once this is properly configured, you don't need to go through the hassle of disabling ECP on your Exchange Server or even creating a separate ECP site. (Although if you've already done that work, there's no reason to undo it.) Regardless of your choice, just be sure to set your external ECP URL values to null.
Off the top of my head, two potential solutions for a reverse proxy (I'm sure there are many) might be Citrix ADC (Netscaler) or Traefik. This is essentially what AAP does, but AAP (Azure App Proxy) is running in Azure, whereas your reverse proxy could run on premises.
Hi manuphilip,
Thanks for your reply.
How the users will access OWA from the internet if we delete the records? even if we delete the records, ECP default website will still be accessible using the public IP mapped to the server.
We want to make sure that OWA is accessible from the internet using https://mail.domain.com/owa but to block https://mail.domain.com/ecp URL or EAC login page.
Currently, if any user/admin access https://mail.domain.com/ecp its reachable and can access the login page from the internet which we want to restrict/block/deny access.
As mentioned earlier, if user/admin try to login to https://mail.domain.com/ecp then it gets redirected to OWA settings page which is the expected behaviour as we have disabled admin access to EAC on default ECP website. But the requirement is to block the EAC login page itself making sure OWA is accessible.
Is there any other way we can achieve this?
Thanks for your reply.
How the users will access OWA from the internet if we delete the records? even if we delete the records, ECP default website will still be accessible using the public IP mapped to the server.
We want to make sure that OWA is accessible from the internet using https://mail.domain.com/owa but to block https://mail.domain.com/ecp URL or EAC login page.
Currently, if any user/admin access https://mail.domain.com/ecp its reachable and can access the login page from the internet which we want to restrict/block/deny access.
As mentioned earlier, if user/admin try to login to https://mail.domain.com/ecp then it gets redirected to OWA settings page which is the expected behaviour as we have disabled admin access to EAC on default ECP website. But the requirement is to block the EAC login page itself making sure OWA is accessible.
Is there any other way we can achieve this?
Hi abdullahsalam,
I didn't notice the original request is for disabling only ECP. I think you can disable the ECP access by the following cmdlet
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdminEnabled $false