This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 42%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi,
As per requirements from our customer to restrict EAC from External network, We have configured Exchange 2016 servers configured with Option 2 using the article below:
As per customer security requirements, EAC/ECP website URL should not be accessible and should be blocked without impacting OWA accessibility for the users from Exchange Servers. Need help if this can be achieved using Exchange Server Configurations.
NOTE: By following the above article, EAC access is restricted but the EAC login page is still accessible by all the users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @Abdullah Salam ,
If the problem is successfully solved, , please click “Accept as answer” to mark your solution or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
Hi, as I commented above, I don't think there is really any good solution for you. You really can't block or prevent even seeing the ECP directory without affecting OWA.
OWA and ECP are intertwined and OWA relies on the ECP virtual directory for user options.
Hi,
We have achieved this with using F5 APM and users can still access OWA options when they click on option settings in OWA. if any user tries to access https://mail.domain.com/ecp it will say "This site can’t be reached".
Thanks..
Hi Abdullah-salam,
I’m pleased to know that your issue is resolved.
You could mark your solution as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
Hi Abdullah-salam,
You could install IP and Domain Restrictions role and set up restrict EAC from External network in IIS. Please follow the steps below:
Hi Lucas,
Thanks for your reply but using this method EAC login page is still available for all users on the internet. Is there any way to block the EAC login page also?
Hi Abdullah-salam,
Please follow the below steps and see if it works:
Hi Lucas,
Already tested that also. ECP Login page is still visible. Applying the method will not block the Login page but when the user/admin try login it doesnot work which is not the requirement.
The requirement is ECP login page SHOULD NOT BE Available and user should not see the login page.
Looks like only solution is to configure reverse proxy to drop the ECP web request.
If you have any other solution then let me know.
Take a look at these articles and test it out:
https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/
https://blog.expta.com/2018/10/how-to-block-external-access-to.html
Hi,
Thanks for sharing the articles. I will test and share my feedback if we can block EAC login page.
Also can you please let me know if the methods mentioned in article are Officially Supported. If yes can you share Official refrence link?
No there is no official document for these changes.
Exchange 2019 has the only officially supported method:
Hi Andy,
I have tested both IP and Domain Restrictions feature of IIS and Exchange 2019 Client Access Rules. Both can also be used to restrict the access to EAC but still the users on the internet can see the EAC/ECP login page. So the user is restricted AFTER THE USER LOGIN on the EAC page.
The requirement was to drop/block the ECP/EAC URL request when user tries to access the ECP/EAC URL itself from external network and EAC Login page should not be available for the user to login. looks like this can only be achieved through the reverse proxy solution.
As far as I know, you can't keep anyone from seeing that page, correct. They just can't access it. A reverse proxy would keep it invisible if its not published.
Note regardless, this may affect the ability to use OWA and OWA options from the internet, so be sure to test that out.