Disable External Access to Exchange Admin Centre on a single Exchange Server (2013/6)

Disable External Access to Exchange Admin Centre on a single Exchange Server (2013/6)

Hack 813290 960 720

So there’s plenty of companies out there who have a single Exchange server in play – one to manage their internal Outlook clients, remote access to mail, ActiveSync, etc. In this case, the default behaviour (and basically only option as both OWA and ECP are bound to port 443 on the same virtual host) is to have the CAS role on the same server, thus exposing the Exchange Admin Centre to the entire world via HTTPS. So, if someone gets access to an administrator account (and by default, they don’t have lockout policies, remember, so brute force is back on the table), you’re in deep trouble.

The official Microsoft solution is to have two servers, one not available to the outside world and then to install the CAS role on that – but this is outside the budget or scope of many small organisations. So let’s see how we can work around this and disable access to the outside, without breaking everything.

First up, you can disable the Exchange Admin Centre, right now, with just one line of powershell – but we’ll see why this is a bad idea, in a minute:

Set-ECPVirtualDirectory -Identity "Exchange\ecp (default web site)" -AdminEnabled $False

Then restart IIS (iisreset is fine).

That’ll do it – no one can access the Exchange Admin Centre externally, now – the problem is, they can’t access it, internally either, meaning it’s now powershell or bust. This is probably not ideal for the kind of place who only has one Exchange server, as they’re also probably not likely to have someone with the time to dedicate to learning powershell in detail.

So how can we get what we really want – EAC dead on the outside but alive on the inside?

Step 1: Multihome the Exchange server (add a second static IP address).

If your Exchange Server is 192.168.1.25, add a second IP, perhaps 192.168.1.27. You do this simply by adding an additional IP to the existing NIC, no new NIC required.

Step 2: Add a DNS A record for the new IP

Go add a DNS record for the new IP address that’s something like “internaleac.mydomain.com”.

Great! Now we can browse to our Exchange Admin Centre on the new IP address, which of course, is not exposed to the outside world via NAT. I’m sure you can see where we’re going with this, now.

Step 3: Make a new virtual host in IIS

Start off by making a new folder inside c:\inetpub (or wherever) and call it something like internaleac or wwwroot2 or whatever you like.

Now go to IIS and make the new virtual host:

Now we set the bindings for HTTP (TCP 80) and HTTPS (TCP 443) on the new site to only be to the single IP address we’ve added (192.168.1.27 in this example).

Great – we now have the website ready!

Step 4: Add new OWA and EAC (ECP) directories to our new Virtual Host

Now we want to jump into the Exchange Management Powershell and run the following commands;

New-EcpVirtualDirectory -Server "exchange" -WebSiteName "internaleac" -InternalUrl "https://internaleac.domain.com/ecp"

New-OwaVirtualDirectory -Server "exchange"-WebSiteName "internaleac" -InternalUrl "https://internaleac.domain.com/owa"

We now have a fully functioning OWA (Outlook Web Access) and Exchange Admin Centre (ECP) on our internaleac website, on 192.168.1.27.

Step 5: Blocking External Access.

So the above is great and all – but people can still access the critical Exchange Admin Centre form the outside world, which is bad and what we wanted to stop. So now we just revisit that first powershell command turning admin control off on the default website:

Set-ECPVirtualDirectory -Identity "Exchange\ecp (default web site)" -AdminEnabled $False

Again, restart IIS (iisreset is fine) – and we’re done!

Visits to the external ECP site now, even with admin rights, will just be redirected to the settings of their own personal mailbox, and nothing more. No more high risk access to the Exchange Admin Centre to the entire world!

About the Author

RodneyI'm a veteran of way too many years of IT (although I still love it) and I currently head up the techincal work over at Host One (major sponsor of this site), where I'm also a partner. Feel free to ask me anything about Cloud Computing and I'll try to be helpful, in a non-salesy kind of way.View all posts by Rodney →

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.