When you create a Teams meeting in Outlook for another user, you get the error:…
Exchange Server Health Checker script supports vDir IP filtering
Great Microsoft engineers maintain the Exchange Server Health Checker PowerShell script. The script is excellent because they listen to feedback and are fast at pushing changes. A new update to the script will now show the correct vulnerability information if there are virtual directories (vDirs) with IP filtering.
Table of contents
Exchange Server Health Checker script supports vDir IP filtering
You did disable external access to ECP in Exchange Server or another vDir. However, when running the Exchange Server Health Checker script, it shows that there is a vulnerability present.
So what if you want to keep blocking the ECP vDir from external? Is that not the correct approach? Well, it is. But the Exchange Server Health Checker script didn’t correctly show that and flagged it as a security vulnerability.
Many admins removed ECP blocking and thought this was the correct approach. Unfortunately, that isn’t the case, and it’s best to block ECP with an IIS rule.
The good thing is that everything appears correctly with a new Exchange Health Checker script update. Let’s have a look at it in the next steps.
Note: Blocking external access to ECP is recommended, but that doesn’t mean you’re now completely protected. The best practice is to configure a remote access VPN on the firewall or Windows Server. This will ensure that the Exchange Server (and other servers in the organization) are available only to the users and not everyone.
vDir IP filtering enabled (before)
This is how it looked before when you disable external access to ECP in Exchange Server (recommended) and run the Exchange Server Health Checker PowerShell script.
There is a vulnerability detected on both Exchange Servers.
Let’s scroll down in the report and get more information in the Security Vulnerability rows.
The IPFilterEnabled value is True for the ECP vDir (Default Web Site), which is why it flags it as a security vulnerability.
vDir IP filtering enabled (after)
Running Exchange Server Health Checker script version v22.10.17.1713 or later shows that there is no security vulnerability when you have IP filtering enabled on the ECP vDir.
Note: The Exchange Server Health Checker script will update itself when you run it. If that’s not the case, ensure you download the latest HealthChecker.
Scroll down and verify that the Security Vulnerabilities row shows the value None.
That’s it!
Read more: Exchange Server supports Windows Server 2022 »
Conclusion
The Exchange Server Health Checker script adding support for vDir IP filtering is a welcoming adjustment. The Microsoft engineers that keep working on the script are great at implementing this change. The script improves with every release because users report new features, tweaks, and bugs, and the team is excellent at listening to users’ feedback.
Did you enjoy this article? You may also like Check Exchange health mailboxes. Don’t forget to follow us and share this article.
What Others Are Reading
it seems this bug is back in the latest build as I’m getting the original results on this?
Running version: Version 22.11.07.2236
I tested it with Exchange Health Checker version 22.11.07.2236 (latest), and it did not show security vulnerabilities when external access to ECP is disabled.
Note that a new Exchange Server SU was released an hour ago. It may show those vulnerabilities in your Exchange Health Checker report.