skip to Main Content

Disable external access to ECP Exchange 2016

You should always disable external access to Exchange Control Panel (ECP). You don’t want a brute force attack on ECP in Exchange Server. It’s a big security risk. In this article, you will learn how to disable external access to ECP in Exchange Server 2016. The best approach and my advice are to block it on the firewall. The firewall is the first point that will block external access. If it’s not possible to do it on the firewall, do it on the Exchange Server. It’s better than not disabling ECP. Let’s have a look at how to disable external access to ECP in Exchange 2016.

Do you have more than one Exchange Server? Do the below steps on all the Exchange Servers accessible from external.

Install IP and Domain Restrictions role

Run the Add Roles and Features Wizard from the Exchange Server. Select your Exchange Server and follow the wizard. Now you are on the Server Roles tab. Expand Web Server (IIS) -> Web Server -> Security. Check the IP and Domain Restrictions role. On our end, it’s already installed on the Exchange Server.

disable external access to ECP Exchange 2016 install role

Click on Next. Click Install to install the IP and Domain Restrictions role. Installation completes. Proceed further with the steps below.

Start IP Address and Domain Restrictions in IIS

Open IIS Manager on the Exchange Server. Expand Server -> Sites -> Default Web Site. Select ecp. Double click on IP Address and Domain Restrictions. See screenshot:

Edit feature settings

The IP Address and Domain Restrictions feature is open. Let’s configure it to disable external access to ECP on the Exchange Server 2016. First, click on Edit Feature Settings… and configure it to Deny access for unspecified clients. Set the Deny Action Type to Not Found.

disable external access to ECP Exchange 2016 edit feature settings

Add allow entry

Click on Add Allow Entry… and configure that you can access ECP internal on the Exchange Server (localhost). Add the IP 127.0.0.0 with prefix 8. If you want to add the subnet mask instead of the prefix, it should be 255.0.0.0.

disable external access to ECP Exchange 2016 add allow entry

You added the entry. Now you can log in ECP from the Exchange Server, go to https://localhost/ecp. I don’t recommend to open ECP on the whole internal LAN. If you have management servers, add the IP addresses to the allow list.

disable external access to ECP Exchange 2016 allowed entries

You added the entries and it is showing correctly. Start ECP and login from the IP addresses that you added. Make sure you insert the Exchange Server hostname. For example, https://EX01/ecp.

Conclusion

In this article, you learned how to disable external access to ECP Exchange 2016. Remember to test after you applied the configurations. Think smart before allowing access to ECP. If you enjoyed this article, you may also like Disable Symantec Endpoint Protection (SEP). Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 11 Comments

  1. Just tried these instructions on an Exchange 2019 server. They don’t seem to work very well.

    The ECP page comes up and users can try to log in. If they use the wrong credentials they get a message about wrong credentials. However, if they use a set of good credentials, the get taken back to the login page.

    Anyone else experience this?

  2. Anyone else observe that you can still navigate to the ECP page, but if you try to log in it just sends you right back to the login page?

    I would have thought you would have gotten more of a 404 error message with the settings of “not found”.

  3. I tried this and now it blocks both internal/external access to the ECP. I tried removing the IP and Domain restrictions role but I still cannot access the ECP internally. Its only through the local host

  4. Thanks for your great work. I have the same questions as Zakaria. I would like to restrict access to all virtual directories (EWS, OWA, powershell, Mapi, etc.) to only the IP ranges internal LAN and VPN range. Anything major issues you see here?

  5. I have found trying to do this works… it blocks external access to ECP. It ALSO blocks internal access from the server in question. Basically… it blocks ALL access to ECP. It doesn’t seem to follow the allow list at all.

  6. I’m followed up this guide, and did every step on my exchange server 2016,
    but isn’t worked for me 🙁

  7. One possible word of warning though.

    From my experience, if you make these changes then any users that uses OWA to check their mail can no longer change their options as options require them access ECP.

    If there is a way around this, I would love to know!

    1. Internally you can add all subnets to the allow list. Use the IP Range and enter the lowest possible address on your network with a mask that will include them all. For example 192.168.0.1/255.255.0.0. That would cover any subnet starting with 192.168. Externally, you’re out of luck. I haven’t found a way around that one.

Leave a Reply

Your email address will not be published. Required fields are marked *