Tuesday, June 6, 2017

How to Secure ECP on a Single Exchange 2013/2016 Server

You do not want ECP accessible from the internet.  Here is an easy way to resolve this.  Note, if you do not have a wildcard cert you will get an SSL error.  Do not create an EXTERNAL dns record for this or you will re-enable ECP to the internet.

In my example-
Server Name- ExchSRV1
Default web site- Default Web Site
New ECP Site- InternalECP
Domain Name- contoso.com
New ECP URL- ecp.contoso.com

1) Go into IIS, right click on Sites, Add Website.  

Name- "InternalECP"
Physical Path- "C:\inetpub\wwwroot2"
Binding, Type- https
IP address- All Unassigned,
Port- 443 (Feel free to use another port for added security.)
Host Name- "ecp.contoso.com"

2) On your DNS servers, make a DNS A record for "ecp.contoso.com" pointing to your exchange server IP address.

3) Open the Exchange Management Console and enter the following commands-

New-EcpVirtualDirectory -Server "ExchSRV1" -WebSiteName "InternalECP" -InternalUrl "https://ecp.contoso.com/owa"

New-OWAVirtualDirectory -Server "ExchSRV1" -WebSiteName "InternalECP" -InternalUrl "https://ecp.contoso.com/owa"

4) Test that you can log into the new url and get into ECP.

5) Enter the following to disable ECP on the main site-

Set-EcpVirtualDirectory -identity "ecp (Default Web Site)" -AdminEnabled $false

No comments:

Post a Comment