By default, the ECP directory has no external address. Therefore it would not be available from outside, unless you allow the internal IP to be accessed from the Internet.
You can control each URL via PS or EAC.
- Edited by Mike_O'NeillMicrosoft employee Friday, April 05, 2013 3:18 AM Added information.
I am trying to do the same thing as you and I found this article: http://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx
but that seems to disable access internally as well. Then i found this article: http://www.ers.ie/Blog/post/How-to-Limit-Access-to-Microsoft-Exchange-2013-Exchange-Control-Panel-(ECP).aspx
That one seems to have more promise and is the best I can find so far
- Marked as answer by Baron164 Monday, April 08, 2013 1:10 PM
EDIT June 3rd 2014: The below is actually not supported as of SP1 for Exchange 2013. It was an Exchange 2010 era response given below. Currently the only multiple web site config supported is the Default + Backend Web Site configuration on multi-role Exchange 2013 servers. Splitting admin access out should be done on standalone CAS as of today. -brian
======
First question, what is it about ECP you are concerned about? Is it the administration capability or the user options? What you could easily do is set AdminEnabled to $False as others have said on the default ECP vDir so users still have access to their user options. Then create a 2nd website with another ECP vDir and leave AdminEnabled. Don't create any publishing rules from the internet to this 2nd website's IP and you'll have reduced EAC's access to only internal net
I did not try that but i think removing the /ecp breakts the webapp (owa) access externaly as well.
you need ecp as a user to set your out of Office and so on right?
First question, what is it about ECP you are concerned about? Is it the administration capability or the user options? What you could easily do is set AdminEnabled to $False as others have said on the default ECP vDir so users still have access to their user options. Then create a 2nd website with another ECP vDir and leave AdminEnabled. Don't create any publishing rules from the internet to this 2nd website's IP and you'll have reduced EAC's access to only internal
That is still a good question.
Second IIS Website with different IP just to secure ECP (for administrative usage) doesnt sound like the best idea for me.
"restrict access to /ecp to the LAN only using the "ip and Domain Restrictions" feature of IIS". sounds nice but the user needs to access /ecp to set his personal config stuff right?
when you use forefront tmg to publish exchange you can restrict authentication to an active directory group in the publishing rule. so when doing this, just add regular Webapp "users" to that group and make sure no account with administrative privileges is in there. then everything should be fine and no administrative account will ever be able to authenticate from outside.
Hi All,
I am trying to fix the same issue but the website http://www.ers.ie/Blog/post/How-to-Limit-Access-to-Microsoft-Exchange-2013-Exchange-Control-Panel-(ECP).aspx
is not available. Can anybody who has implemented this fix provide the steps in detail.
The idea is to replicate owa and ecp in a new site. The following are the steps,
- On your Exchange server, open IIS.
- Open your Exchange site and copy down the path for both ecp and owa, by clicking on them (one at a time) and click Explore.
- Clone both folders. Example, "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa" to "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owaIntra"
- Create a new site.
- Using Exchange powershell New-EcpVirtualDirectory and New-OwaVirtualDirectory, add new
ecp and owa virtual directory to the site, using the cloned paths.
- Set FormAuthentication to true for both ecp and owa using Set-EcpVirtualDirectory and Set-OwaVirtualDirectory. All other authentications should be false.
- Set AdminEnabled to true for ecp.
In the future, if you apply SP or CU, you'll need to clone the paths again. Just copy and paste. Then perform an iisreset. If it somehow break (you can't login), set the authentication again and perform an iisreset.
- Edited by Programatix Tuesday, January 06, 2015 4:05 AM
Please don't just go and use these steps, it won't be supported and if you make a mistake you'll likely break something. We are going to publish something soon on the blog on this subject, but until then, this isn't a supported process.Do you have a rough ETA on this? I simply published OWA without the ECP directory, but now users are starting to squawk about not being able to set rules and OOO. Thanks.
Soon Dr Venkman, soon.
Please don't risk crossing the streams configuring it as suggested earlier, the full solution will be out soon.
Use IP address and Domain Restriction in IIS.
The blog post announcing support and detailing the steps you need to make it work just got published. http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx
Wait, you gave a warning, quoting "Please don't just go and use these steps...." to my reply but your blog is basically doing the same thing.
This topic is archived. No further replies will be accepted.
Other recent topics
