Blocking ecp access externally for Exchange 2013 - works with quirks

%3CLINGO-SUB%20id%3D%22lingo-sub-1752346%22%20slang%3D%22en-US%22%3EBlocking%20ecp%20access%20externally%20for%20Exchange%202013%20-%20works%20with%20quirks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20Exchange%202013%20and%20have%20added%20IP%20address%20restrictions%20to%20the%20ecp%20application%20in%20IIS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20it%20works%20it%20has%20its%20quirks...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20starters%20if%20I%20log%20in%20via%20a%20whitelisted%20IP%20I%20initially%20get%20the%20403.503%20Forbidden%20page%20but%20if%20I%20refresh%20the%20browser%20page%20I%20get%20a%20bit%20more%20of%20the%20ecp%20proper%2C%20then%20refresh%20a%20second%20time%20and%20the%20site%20appears%20and%20functions%20normally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20why%20this%20might%20be%20the%20case%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I%20note%20that%20when%20browsing%20to%20%2Fecp%20it%20initially%20redirects%20to%20%2Fowa%2Fauth...%20etc%20for%20the%20login%20page.%26nbsp%3B%20It%20even%20does%20this%20when%20browsing%20from%20a%20restricted%20IP.%26nbsp%3B%20From%20a%20restricted%20IP%20when%20typing%20in%20a%20correct%20credential%20it%20simply%20takes%20you%20back%20to%20the%20login%20page%20and%20doesn't%20log%20you%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20appears%20that%20the%20redirection%20from%20%2Fecp%20to%20%2Fowa%2Fauth%20occurs%20before%20IP%20restrictions%20are%20enforced.%26nbsp%3B%20Is%20there%20a%20way%20around%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1752346%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

Hi all,

 

We have Exchange 2013 and have added IP address restrictions to the ecp application in IIS.

 

While it works it has its quirks...

 

For starters if I log in via a whitelisted IP I initially get the 403.503 Forbidden page but if I refresh the browser page I get a bit more of the ecp proper, then refresh a second time and the site appears and functions normally.

 

Does anyone know why this might be the case?

 

Also I note that when browsing to /ecp it initially redirects to /owa/auth... etc for the login page.  It even does this when browsing from a restricted IP.  From a restricted IP when typing in a correct credential it simply takes you back to the login page and doesn't log you in.

 

So it appears that the redirection from /ecp to /owa/auth occurs before IP restrictions are enforced.  Is there a way around this?

 

thanks!

 

jc

0 Replies