question

JoshuaThompson-0351 avatar image
0 Votes"
JoshuaThompson-0351 asked EricYin-MSFT edited

Block external access to ECP and OWA while still allowing inbound certificate checks to work.

I need to block external access to ECP and OWA for my Exchange 2016 box. I have seen the other forums posts about this but my issue is slightly different.

I thought I could do this at my firewall level by not allowing inbound 443 to my Exchange box. I have a firewall rule for this and I set the action to disable.
This definitely works but it ends up causing problems with my 3rd party mail certificate.

(I dont fully understand this next part so I hope my details are accurate)

When port 443 traffic is NOT allowed to my inbound mail server then I start having problems with my 3rd party mail certificate.
Example: I use the digicert mail certificate checker at https://www.digicert.com/help as a test. When port 443 is forwarded to my mail server then this cert check is successful with no errors.
When port 443 is NOT forwarded to the mail server then this certificate checker fails. My firewall vendor states since we do not have a rule in place that forwards 443 traffic then the firewall offers up
a different certificate for this checker which causes the failure as the domain names do not match.

So, if I disable 443 inbound it fixes my goal of blocking ECP and OWA but then causes certificate issues.

Any suggestions?

office-exchange-server-administration
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does it really cause certificate issues or just when you check it?

0 Votes 0 ·

Inbound email has never been able to be delivered via TLS. We use Mimecast so all inbound external email flows to them over TLS first. Then they try to deliver to us over TLS. When that fails then they transmit using non tls. I assumed this certificate issue was the reason why.

That lead me to that digicert checker which was failing. When I enabled my firewall rule to forward 443 traffic to my Exchange server that fixed the cert checker. But then that exposed my Exchange ECP and OWA external.

Looking to fix both issues.











0 Votes 0 ·
AndyDavid avatar image AndyDavid JoshuaThompson-0351 ·

Doesnt sound like its related actually since the SMTP traffic is over port 25 and not 443 unless Mimecast is doing some other check.

What exactly fails and what is the error

As for the checker piece. That wont work if 443 is blocked of course, so the only way to fix that would be to allow 443 when checking.

0 Votes 0 ·

Hi,
You can follow below blogs to block external access:
https://www.codetwo.com/admins-blog/how-to-disable-external-access-to-ecp/
https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/#Edit_feature_settings
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

0 Answers