This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can Exchange Control Panel (ECP) be safely excluded from WAF definitions used for publishing Exchange services?

Good day,

I would like to restrict external access to the Exchange Control Panel (ECP) that is included in the WAF definitions for publishing Exchange services, such as Outlook Anywhere and ActiveSync (we don't provide external access to OWA). Could I safely remove all entries for "/ecp", "/ECP", "/ecp/*" and "/ECP/*" from the firewall profiles and associated exceptions? If not (due to some dependency), how could I secure this sensitive resource without breaking end-user access to Exchange services? Any guidance will be greatly appreciated.



This thread was automatically locked due to age.