Aug 04 2020 05:44 AM
Aug 04 2020 05:44 AM
As per requirements from our customer to restrict EAC from External network, We have configured Exchange 2016 servers configured with Option 2 using the article below:
As per customer security requirements, EAC/ECP website URL should not be accessible and should be blocked without impacting OWA accessibility for the users from Exchange Servers. Need help if this can be achieved using Exchange Server Configurations.
NOTE: By following the above article, EAC access is restricted but the EAC login page is still accessible by all the users.
Aug 04 2020 06:17 AM
OWA or ECP are accessible from internet through the records pointed in public DNS. So, you may go for deleting the records like mail.domain.com from public DNS.
You can also set the OWA, ECP public urls as null in the respective virtual directories to block the internet access as an alternate way. get-owavirtualdirectory or get-ecpvirtualdirectory cmdlets should report null value for external urls. You can use internal urls in external url field also so that those urls will be unavailable from internet
Aug 04 2020 06:37 AM
Aug 04 2020 07:32 AM
I didn't notice the original request is for disabling only ECP. I think you can disable the ECP access by the following cmdlet
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdminEnabled $false
Aug 04 2020 07:46 AM
Aug 04 2020 08:33 AM
Aug 04 2020 10:44 AM
Aug 04 2020 02:25 PM
Aug 04 2020 03:11 PM
Aug 05 2020 01:39 AMSolution
Aug 05 2020 06:17 AM - edited Aug 05 2020 06:18 AM
Thanks for your reply and for providing your recommendations. I would then conclude that the only solution for restricting the ECP Login Page access is using the reverse proxy solution to meet the security requirements of the customer.
I have also tested the Client Access Rules on Exchange Server 2019 in my lab to block client access to the EAC but still, it shows the Exchange Admin Center Login page. Also I get the same result when I configured "IP address and Domains Restrictions" Feature in IIS.