Forum Discussion

esmith_190578

Nimbostratus

Mar 25, 2015

Block Exchange 2013 admin center

I have 2 F5s and I use iapp to provide access to Exchange 2013. I would like to block the Exchange admin console from the outside world. Being very new to the F5 world, I would like to know the best way to do this without interrupting OWA, RDP, OutlookAnywhere.

Mark_Thornton_1
Mar 25, 2015
I am also new to the F5 world, but I agree with mikeshimkus that is is very difficult to separate the ECP traffic between OWA and EAC. However, last year I ran into the same issue for a customer of mine and found this site which provided a good solution to this issue. Since you obviously want to be able to keep your own access to EAC, while removing it from outside access, this may be something to look at.

http://anexinetisg.blogspot.com/2014/06/disable-external-access-of-exchange.html

mikeshimkus_111
Historic F5 Account
Mar 25, 2015
Hi, we previously had included an iRule to block access to the EAC from certain client IPs, but it proved unreliable due to not having a consistent way to separate EAC ECP traffic from OWA ECP traffic.

Your best bet will probably be to create a second, internal-only set of OWA and ECP virtual directories with the -AdminEnabled parameter set to true, which is not published on the BIG-IP. You can then set -AdminEnabled to false on your external ECP virtual directory so users accessing their mailboxes can't admin.

Here are a couple of posts on this:

http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

https://social.technet.microsoft.com/Forums/exchange/en-US/68519cd7-f0f2-4a0a-b23c-84a8f8e69da9/lock-down-exchange-2013-ecp-to-internal-access-only
Mark_Thornton_1
Nimbostratus
Mar 25, 2015
I am also new to the F5 world, but I agree with mikeshimkus that is is very difficult to separate the ECP traffic between OWA and EAC. However, last year I ran into the same issue for a customer of mine and found this site which provided a good solution to this issue. Since you obviously want to be able to keep your own access to EAC, while removing it from outside access, this may be something to look at.

http://anexinetisg.blogspot.com/2014/06/disable-external-access-of-exchange.html

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Block Exchange 2013 admin center

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

MS Exchange ProxyNotShell block implemented via iRules

The Business Partner Exchange - An F5 Distributed Cloud Services Demonstration

Restrict Access to Exchange Administrative Center - Enhanced

Security Operations Center - Helpers Behind the Scenes

ASM Sync Between 2 Data Centers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS