skip to Main Content

Disable external access to ECP Exchange 2016

You should always disable external access to Exchange Control Panel (ECP). You don’t want a brute force attack on ECP in Exchange Server. It’s a big security risk. In this article, you will learn how to disable external access to ECP in Exchange Server 2016. The best approach and my advice are to block it on the firewall. The firewall is the first point that will block external access. If it’s not possible to do it on the firewall, do it on the Exchange Server. It’s better than not disabling ECP. Let’s have a look at how to disable external access to ECP in Exchange 2016.

Do you have more than one Exchange Server? Do the below steps on all the Exchange Servers accessible from external.

Install IP and Domain Restrictions role

Run the Add Roles and Features Wizard from the Exchange Server. Select your Exchange Server and follow the wizard. Now you are on the Server Roles tab. Expand Web Server (IIS) -> Web Server -> Security. Check the IP and Domain Restrictions role. On our end, it’s already installed on the Exchange Server.

disable external access to ECP Exchange 2016 install role

Click on Next. Click Install to install the IP and Domain Restrictions role. Installation completes. Proceed further with the steps below.

Start IP Address and Domain Restrictions in IIS

Open IIS Manager on the Exchange Server. Expand Server -> Sites -> Default Web Site. Select ecp. Double click on IP Address and Domain Restrictions. See screenshot:

Edit feature settings

The IP Address and Domain Restrictions feature is open. Let’s configure it to disable external access to ECP on the Exchange Server 2016. First, click on Edit Feature Settings… and configure it to Deny access for unspecified clients. Set the Deny Action Type to Not Found.

disable external access to ECP Exchange 2016 edit feature settings

Add allow entry

Click on Add Allow Entry… and configure that you can access ECP internal on the Exchange Server (localhost). Add the IP 127.0.0.0 with prefix 8. If you want to add the subnet mask instead of the prefix, it should be 255.0.0.0.

disable external access to ECP Exchange 2016 add allow entry

You added the entry. Now you can log in ECP from the Exchange Server, go to https://localhost/ecp. I don’t recommend to open ECP on the whole internal LAN. If you have management servers, add the IP addresses to the allow list.

disable external access to ECP Exchange 2016 allowed entries

You added the entries and it is showing correctly. Start ECP and login from the IP addresses that you added. Make sure you insert the Exchange Server hostname. For example, https://EX01/ecp.

Conclusion

In this article, you learned how to disable external access to ECP Exchange 2016. Remember to test after you applied the configurations. Think smart before allowing access to ECP. If you enjoyed this article, you may also like Disable Symantec Endpoint Protection (SEP). Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect and IT Consultant. His specialism is designing and building complex enterprise environments. He started Information Technology at a very young age, and his goal is to teach and inspire others. Connect with ALI TAJRAN on social media. Read more »

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top