Disable external access to ECP Exchange 2019 Server 2019
ECP in Exchange Server It’s a big security risk In this article you will learn how to disable external access to ECP in Exchange Server 2019 external access If it’s not possible to do it on the firewall, do it on the Exchange Server It’s better than not disabling ECP Let’s have a look at how to disable external access to ECP in Exchange 2019
Install IP and Domain Restrictions role
Run the Add Roles and Features Wizard from the Exchange Server Roles tab. Expand Web Server (IIS) -> Web Server -> Security. Check the IP and Domain Restrictions role. On our end it’s already installed on the Exchange Server
Click on Next. Click Install to install the IP and Domain Restrictions role. Installation completes. Proceed further with the steps below
Start IP Address and Domain Restrictions in IIS
Open IIS Manager on the Exchange Server Expand Server -> Sites -> Default Web Site Select ecp. Double click on IP Address and Domain Restrictions See screenshot
Edit feature settings
The IP Address and Domain Restrictions feature is open. Let’s configure it to disable external access to ECP on the Exchange Server 2016. First, click on Edit Feature Settings… and configure it to Deny access for unspecified clients. Set the Deny Action Type to Not Found
Add allow entry
Click on Add Allow Entry… and configure that you can access ECP internal on the Exchange Server (localhost). Add the IP 127.0.0.0 with prefix 8 If you want to add the subnet mask instead of the prefix, it should be 255.0.0.0
You added the entry. Now you can log in ECP from the Exchange Server go to https://localhost/ecp I don’t recommend to open ECP on the whole internal LAN If you have management servers add the IP addresses to the allow list
You added the entries and it is showing correctly Start ECP and login from the IP addresses that you added Make sure you insert the Exchange Server hostname For example https://exchangeserver/ecp