This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can Exchange Control Panel (ECP) be safely excluded from WAF definitions used for publishing Exchange services?

Good day,

I would like to restrict external access to the Exchange Control Panel (ECP) that is included in the WAF definitions for publishing Exchange services, such as Outlook Anywhere and ActiveSync (we don't provide external access to OWA). Could I safely remove all entries for "/ecp", "/ECP", "/ecp/*" and "/ECP/*" from the firewall profiles and associated exceptions? If not (due to some dependency), how could I secure this sensitive resource without breaking end-user access to Exchange services? Any guidance will be greatly appreciated.

This thread was automatically locked due to age.

0 Alexander Busch over 5 years ago

Hello SEFIT,

in my opinion it depends a little bit of the version of Exchange you're using. If you'r using Exchange 2016 or newer this should be possible. If you're on 2013 or bellow you can't so this.
I didn't try this myself but it's a very good idea. Exchange 2016 and upwards doesn't use ECP for out of office and other options. So this should not impact users, I think.
So if you do this give us an update. Or someone here has done this before?

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 SEFIT over 5 years ago in reply to Alexander Busch

Hi Alex, thanks for the feedback. We're currently using Exchange 2013, so it seems not so straight-forward as I'd hoped.
Cancel
Vote Up 0 Vote Down

Cancel
0 SEFIT over 5 years ago in reply to SEFIT

I've come across an alternative approach which describes the creation of a second IIS website in which the EAC and OWA virtual directories are recreated and restricted to internal use only; the original has admin access restricted by running Set-ECPVirtualDirectory -Identity “ServerNameecp (default web site)” -AdminEnabled $false

https://www.anexinet.com/blog/disable-external-access-of-the-exchange-admin-center/

Has anyone used the approach? (other than the article's author, of course :-))
Cancel
Vote Up 0 Vote Down

Cancel
0 SEFIT over 5 years ago in reply to SEFIT

Just a quick update, found the following blog post that provides a similar (still unsupported) method:

https://blogs.technet.microsoft.com/exchange/2015/02/11/configuring-multiple-owaecp-virtual-directories-on-the-exchange-2013-client-access-server-role/
Cancel
Vote Up 0 Vote Down

Cancel
+1 Alexander Busch over 5 years ago in reply to SEFIT

Just a quick update, for Exchange 2016 it seems to work. No issues till now.

And by the way, I don’t know where I heard this but there might be a chance that 2013 is capable that too, since a specific patch level. Unfortunately the information wasn’t clear what exact build this was.

Maybe you could ask some Exchange MVP or give it a try?

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel