Lockdown EAC from external access Exchange 2019

Will Weston 1 Reputation point
2023-01-20T16:49:24.8333333+00:00

I have a on premise exchange server 2019. I need to block all external network access to EAC.

I have created the access control rule to Deny Access:

New-ClientAccessRule -Name "Allow ECP only for loopback" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddress 127.0.0.1 -Priority 2

Issue is there appears to be a redirect from OWA that is still getting through.

Any advise would be appreciated

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
979 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,227 questions
{count} votes

3 answers

Sort by: Most helpful
  1. SanthiSwaroopNaikBukke-4908 595 Reputation points
    2023-01-20T16:51:50.2133333+00:00

    To block all external network access to Exchange Admin Center (EAC) in Exchange Server 2019 using PowerShell, you can use the New-WebServicesVirtualDirectory cmdlet to create a new virtual directory for EAC and configure it to only listen on the internal network interface. Here is an example of how to do this:

    Copy code
    # Connect to Exchange Server
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://your-exchange-server-fqdn/PowerShell/
    Import-PSSession $session
    
    # Create a new virtual directory for EAC
    $EACVD = New-WebServicesVirtualDirectory -Name "EAC" -InternalUrl "https://your-exchange-server-fqdn/EAC" -BasicAuthentication $true
    
    # Configure the virtual directory to only listen on the internal network interface
    Set-WebServicesVirtualDirectory -Identity $EACVD.Identity -InternalUrl $EACVD.InternalUrl -InternalAuthenticationMethods Basic
    
    # Remove external access to EAC
    Remove-WebServicesVirtualDirectory -Identity "EAC" -Confirm:$false
    
    0 comments No comments

  2. Aholic Liang-MSFT 13,736 Reputation points Microsoft Vendor
    2023-01-23T07:22:48.3966667+00:00

    Hi @Will Weston ,

    Please follow the steps below to block external network access to EAC and see if it effectively blocks redirection from OWA:

    1. Select the ECP in the Default Web Site in IIS Manager
    2. Double-click IP Address and Domain Restrictions.
      1. Select the “Add Allow Entry” and Add IP or Range then click Ok.
    3. Click on “Edit Feature Settings”, in “Access for Unspecified clients” Select Deny and you could select the “Deny Action Type”.
      1. Please run the IISreset in CMD start as administrator to reset the IIS.

    (Kindly note :To set up the Restrict external network access EAC in IIS, first install the IP and Domain Restriction role in the server management.)


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

    0 comments No comments

  3. Amit Singh 4,771 Reputation points
    2023-01-23T09:19:00.9333333+00:00

    New-ClientAccessRule -Name “Block-ECP Outside ORG” -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges 10.190.65.1/24 -Priority 1

    The command will create a rule which allows access for connections ONLY from IP addresses which belongs to 10.190.65.1–10.190.65.254 (Class C).

    You can configure any combination of IP addresses:

    • A Single IP address (10.190.65.34)
    • IP address range (10.190.65.1–10.190.65.50)
    • Classless Inter-Domain Routing (CIDR) IP (10.190.65.1/24)

    In order to view the full details of the rule you have just created, run the next command:

    Get-ClientAccessRule “Block-ECP Outside ORG” | fl

    Check this detailed article for more insight - https://tkolber.medium.com/blocking-ecp-remote-powershell-access-in-exchange-2019-2d0f71e5820d

    0 comments No comments