Hi

Recently i migrated Exchange 2010 to exchange 2013. Still its in co-exsistence phase.

I dont want to expose my ECP site to external network. How to disable ECP access from external.

I tried IP domain and restrictions, its working by not allowing to login.. one more problem with IP domain and restrictions is in owa options(Autoreply) things and all not working...

Please suggest recommended way to disable the ECP external access.

Have you tried the following cmdlet?

Set-ECPVirtualDirectory -Identity "CAS01\ecp (default web site)" -AdminEnabled $false

More info here: https://technet.microsoft.com/en-us/library/jj218639(v=exchg.150).aspx

By disabling this way, it will disable ecp internal also right..

How i can manage my exchange..  after that i have to go to each and everything to powershell...

Is there any way i can restrict only externally not internally..

In this case, I can provide you an alternate like as follows:

• Open 'Server Manager' and Select 'Add roles and features'
• Select 'Role-based or feature-based installation' > Next
• Choose the server with IIS installed from the pool > Next
• Expand the 'Web Server- IIS' Role
  1. 'Web Server > Security 
  2. Make sure 'IP and Domain Restrictions' is checked >
• Open IIS and select 'IP Address and Domain Restrictions' under the ECP site
• In the right hand pane, select 'Add Allow Entry'

1. For this example,  Only hosts in the 192.168.1.0/24 range will be granted access
2. Click 'OK'

• Select 'Edit Feature Settings' from the right pane

1. Set 'Access for unspecified clients' > Deny
2. Set 'Deny Action Type' > Forbidden

Do an iisreset and test the system now

Hi

I tried this option also.. 

Problem with option is user not able to use options from OWA(out of office kind of stuff..)

Hey Vino,

How you have published your exchange services like OWA, OA. You may block /ecp at their only.

Which will make sure that no one will be able to access the ECP from external world.

Also take a look at:

http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

With Exchange 2013 theres one new reason to add to the list, separation of the client facing ECP settings pages, and the Exchange Administration Console (EAC) settings pages. Both of these are served by the ECP virtual directory, which is somewhat confusing Ill admit. Basically the code behind the ECP virtual directory serves up either the personal ECP pages or the administrators EAC pages based upon on the credentials of the user logging in. Of course this means if you allow access to /ECP from the Internet (which you need to for OWA or Outlook users to go to ECP) you also allow someone with administrative credentials to log into EAC. Some customers dont like this.

So to summarize, the only reasons for which you might feel the need to create multiple OWA and ECP virtual directories:

• Separating admin/user ECP access. 
• Or scenario number 3 as described earlier, because you have different policies or settings, or authentication requirements

Hi 

you can do that with TMG or hardware load balancer

By disabling this way, it will disable ecp internal also right..

How i can manage my exchange..  after that i have to go to each and everything to powershell...

Is there any way i can restrict only externally not internally..

You're right.

How to manage Exchange?

1. You can manage everything using EMS. Or

2. Setup another CAS server. This one should not be exposed to external. You can control this at your HLB/firewall/reverse proxy so that the new CAS can reached only from internal network. Btw, -AdminEnabled should be $true for this CAS.

• Edited by Li Zhen 20 hours 16 minutes ago

Hi,

Thanks for your response...

I have one query, By creating multiple virtual directories below things can be acheived or not..

1) user can access owa with full options like out of office, Change Password etc.

2)ECP wont available from external, but it will be available internal...