Blocking ecp access externally for Exchange 2013 - works with quirks

%3CLINGO-SUB%20id%3D%22lingo-sub-1752346%22%20slang%3D%22en-US%22%3EBlocking%20ecp%20access%20externally%20for%20Exchange%202013%20-%20works%20with%20quirks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20Exchange%202013%20and%20have%20added%20IP%20address%20restrictions%20to%20the%20ecp%20application%20in%20IIS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20it%20works%20it%20has%20its%20quirks...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20starters%20if%20I%20log%20in%20via%20a%20whitelisted%20IP%20I%20initially%20get%20the%20403.503%20Forbidden%20page%20but%20if%20I%20refresh%20the%20browser%20page%20I%20get%20a%20bit%20more%20of%20the%20ecp%20proper%2C%20then%20refresh%20a%20second%20time%20and%20the%20site%20appears%20and%20functions%20normally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20why%20this%20might%20be%20the%20case%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I%20note%20that%20when%20browsing%20to%20%2Fecp%20it%20initially%20redirects%20to%20%2Fowa%2Fauth...%20etc%20for%20the%20login%20page.%26nbsp%3B%20It%20even%20does%20this%20when%20browsing%20from%20a%20restricted%20IP.%26nbsp%3B%20From%20a%20restricted%20IP%20when%20typing%20in%20a%20correct%20credential%20it%20simply%20takes%20you%20back%20to%20the%20login%20page%20and%20doesn't%20log%20you%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20appears%20that%20the%20redirection%20from%20%2Fecp%20to%20%2Fowa%2Fauth%20occurs%20before%20IP%20restrictions%20are%20enforced.%26nbsp%3B%20Is%20there%20a%20way%20around%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1752346%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi all,

 

We have Exchange 2013 and have added IP address restrictions to the ecp application in IIS.

 

While it works it has its quirks...

 

For starters if I log in via a whitelisted IP I initially get the 403.503 Forbidden page but if I refresh the browser page I get a bit more of the ecp proper, then refresh a second time and the site appears and functions normally.

 

Does anyone know why this might be the case?

 

Also I note that when browsing to /ecp it initially redirects to /owa/auth... etc for the login page.  It even does this when browsing from a restricted IP.  From a restricted IP when typing in a correct credential it simply takes you back to the login page and doesn't log you in.

 

So it appears that the redirection from /ecp to /owa/auth occurs before IP restrictions are enforced.  Is there a way around this?

 

thanks!

 

jc

0 Replies