How to block external access to the Exchange Admin Center

Tuesday, October 2, 2018


When I was at Microsoft Ignite last week, several customers asked me how to block external access to the Exchange Admin Center. These customers have already completed all their mailbox migrations to Exchange Online and understand they'll need to keep that last Exchange server on-prem as a management server to manage mailboxes, groups, contacts, etc. But now that everyone in their organization has been migrated to Exchange Online, there's no need to allow external access to the hybrid servers for OWA or ECP.

There are several ways to do this:

  1. Remove the OWA/ECP namespace from external DNS so external clients can't resolve the FQDN
  2. Disable external EAC access on all ECP virtual directories using the following cmdlet (thanks to @markes20754 for reminding me) :
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdminEnabled $false
Note that the command above will disable EAC on all Exchange servers, both internally and externally. You'll need another internal server for administration.

The third way is to limit access to only internal IP addresses using IIS, as shown below:
  • Start by adding the IP Address and Domain Restrictions feature to the Web Server (IIS) role in Server Manager for each Exchange 2013/2016 hybrid server in the org. This does not require a restart.
  • Open Internet Information Services (IIS) Manager and expand Default Web Site to the ECP virtual directory.
  • Double-click IP Address and Domain Restrictions and click Add Allow Entry on the Actions pane and enter the range for your internal LAN. In the following example I've configured the 192.168.1.0/24 LAN network.
    • Optionally, you can add other public IP address(es) that you want to allow access from.
    • Click Edit feature settings on the Actions pane. Under Access for unspecified clients select Deny and select the type of error message users see in their browser when they are denied. In the example below, I selected Abort.
    • Enable Proxy Mode allows IP addresses to be blocked not only by the client IP that is seen by IIS, but also by the values that are received in the x-forwarded-for HTTP header. Enable this option if SNAT is enabled on your load balancer.
    • Repeat for the OWA virtual directory.
    • Repeat the steps above for each Exchange hybrid server.
    Now if the Exchange Admin Center is accessed externally users will get an error:



    Notes:
    1. This change goes into effect immediately. There’s no need to restart IIS.
    2. Only do this after all your user mailboxes have been migrated to Exchange Online since doing this will prevent users with mailboxes on-prem from using OWA and will break free/busy sharing coexistence with on-prem users.
    3. Exchange 2019 does not publish the Exchange Admin Center externally by default. You need to manually configure it to do so. See Exchange admin center in Exchange Server 2019 for more details.