This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can Exchange Control Panel (ECP) be safely excluded from WAF definitions used for publishing Exchange services?

Good day,

I would like to restrict external access to the Exchange Control Panel (ECP) that is included in the WAF definitions for publishing Exchange services, such as Outlook Anywhere and ActiveSync (we don't provide external access to OWA). Could I safely remove all entries for "/ecp", "/ECP", "/ecp/*" and "/ECP/*" from the firewall profiles and associated exceptions? If not (due to some dependency), how could I secure this sensitive resource without breaking end-user access to Exchange services? Any guidance will be greatly appreciated.



This thread was automatically locked due to age.
Parents
  • Hello SEFIT,

    in my opinion it depends a little bit of the version of Exchange you're using. If you'r using Exchange 2016 or newer this should be possible. If you're on 2013 or bellow you can't so this.
    I didn't try this myself but it's a very good idea. Exchange 2016 and upwards doesn't use ECP for out of office and other options. So this should not impact users, I think.
    So if you do this give us an update. Or someone here has done this before?

    Best regards

    Alex

    -

Reply
  • Hello SEFIT,

    in my opinion it depends a little bit of the version of Exchange you're using. If you'r using Exchange 2016 or newer this should be possible. If you're on 2013 or bellow you can't so this.
    I didn't try this myself but it's a very good idea. Exchange 2016 and upwards doesn't use ECP for out of office and other options. So this should not impact users, I think.
    So if you do this give us an update. Or someone here has done this before?

    Best regards

    Alex

    -

Children