I need to block external access to ECP and OWA for my Exchange 2016 box. I have seen the other forums posts about this but my issue is slightly different.
I thought I could do this at my firewall level by not allowing inbound 443 to my Exchange box. I have a firewall rule for this and I set the action to disable.
This definitely works but it ends up causing problems with my 3rd party mail certificate.
(I dont fully understand this next part so I hope my details are accurate)
When port 443 traffic is NOT allowed to my inbound mail server then I start having problems with my 3rd party mail certificate.
Example: I use the digicert mail certificate checker at https://www.digicert.com/help as a test. When port 443 is forwarded to my mail server then this cert check is successful with no errors.
When port 443 is NOT forwarded to the mail server then this certificate checker fails. My firewall vendor states since we do not have a rule in place that forwards 443 traffic then the firewall offers up
a different certificate for this checker which causes the failure as the domain names do not match.
So, if I disable 443 inbound it fixes my goal of blocking ECP and OWA but then causes certificate issues.