This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can Exchange Control Panel (ECP) be safely excluded from WAF definitions used for publishing Exchange services?

Good day,

I would like to restrict external access to the Exchange Control Panel (ECP) that is included in the WAF definitions for publishing Exchange services, such as Outlook Anywhere and ActiveSync (we don't provide external access to OWA). Could I safely remove all entries for "/ecp", "/ECP", "/ecp/*" and "/ECP/*" from the firewall profiles and associated exceptions? If not (due to some dependency), how could I secure this sensitive resource without breaking end-user access to Exchange services? Any guidance will be greatly appreciated.



This thread was automatically locked due to age.
Parents Reply Children
  • Just a quick update, for Exchange 2016 it seems to work. No issues till now.

    And by the way, I don’t know where I heard this but there might be a chance that 2013 is capable that too, since a specific patch level. Unfortunately the information wasn’t clear what exact build this was.

    Maybe you could ask some Exchange MVP or give it a try?

    Best regards

    Alex

    -