question

Abdullah-salam avatar image
0 Votes"
Abdullah-salam asked LucasLiu-MSFT commented

Block Microsoft Exchange Server 2016 Exchange Admin Center (EAC) website from Internet

Hi,

As per requirements from our customer to restrict EAC from External network, We have configured Exchange 2016 servers configured with Option 2 using the article below:

https://docs.microsoft.com/en-us/exchange/architecture/client-access/disable-exchange-admin-center-a...

As per customer security requirements, EAC/ECP website URL should not be accessible and should be blocked without impacting OWA accessibility for the users from Exchange Servers. Need help if this can be achieved using Exchange Server Configurations.

NOTE: By following the above article, EAC access is restricted but the EAC login page is still accessible by all the users.

office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-connectivity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Abdullah-salam ,
If the problem is successfully solved, , please click “Accept as answer” to mark your solution or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for sharing the articles. I will test and share my feedback if we can block EAC login page.

Also can you please let me know if the methods mentioned in article are Officially Supported. If yes can you share Official refrence link?

0 Votes 0 ·

Hi Andy,

I have tested both IP and Domain Restrictions feature of IIS and Exchange 2019 Client Access Rules. Both can also be used to restrict the access to EAC but still the users on the internet can see the EAC/ECP login page. So the user is restricted AFTER THE USER LOGIN on the EAC page.

The requirement was to drop/block the ECP/EAC URL request when user tries to access the ECP/EAC URL itself from external network and EAC Login page should not be available for the user to login. looks like this can only be achieved through the reverse proxy solution.


0 Votes 0 ·
Show more comments
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered Abdullah-salam commented

Hi Abdullah-salam,
You could install IP and Domain Restrictions role and set up restrict EAC from External network in IIS. Please follow the steps below:
1. In Server Manager, click the Manage menu, and then click Add Roles and Features.
2. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
3. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IP and Domain Restrictions. Click Next.
4. After you install the IP and Domain Restrictions role, you could set up IP and Domain Restrictions in IIS.
Please note that based on the previous similar case, install this feature may cause all user access interruption for a few minutes, and then it will be restored.
For more information you could refer to: Adding IP Security
15656-1111.png
15732-22222.png





1111.png (92.5 KiB)
22222.png (53.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Lucas,

Thanks for your reply but using this method EAC login page is still available for all users on the internet. Is there any way to block the EAC login page also?

0 Votes 0 ·

Hi Abdullah-salam,
Please follow the below steps and see if it works:
1. Double click on “IP Address and Domain Restrictions”.
2. Select the “Add Allow Entry” and Add IP or Range then click Ok.
3. Click on “Edit Feature Settings”, in “Access for Unspecified clients” Select Deny and you could select the “Deny Action Type”.
16035-55555.png
4. Please run the IISreset in CMD start as administrator to reset the IIS.
For more information you could refer to: Exchange 2016: Deny External Access to EAC
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


0 Votes 0 ·
55555.png (27.8 KiB)

Hi Lucas,

Already tested that also. ECP Login page is still visible. Applying the method will not block the Login page but when the user/admin try login it doesnot work which is not the requirement.

The requirement is ECP login page SHOULD NOT BE Available and user should not see the login page.

Looks like only solution is to configure reverse proxy to drop the ECP web request.

If you have any other solution then let me know.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered LucasLiu-MSFT commented

Hi, as I commented above, I don't think there is really any good solution for you. You really can't block or prevent even seeing the ECP directory without affecting OWA.
OWA and ECP are intertwined and OWA relies on the ECP virtual directory for user options.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

We have achieved this with using F5 APM and users can still access OWA options when they click on option settings in OWA. if any user tries to access https://mail.domain.com/ecp it will say "This site can’t be reached".

Thanks..

0 Votes 0 ·

Hi Abdullah-salam,
I’m pleased to know that your issue is resolved.
You could mark your solution as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.

0 Votes 0 ·