Forum Discussion
16 Replies
- JGCumulonimbus
Of course they don't match. What is this about and what are you trying to achieve? Some more info would help.
Disable external access to the ECP for Admins who are members of the Exchange Organization Management Security Group?
as per ms "organizations may want to restrict access to the EAC for client connections from the Internet"
Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group? Yes, restrict EAC access by group membership
seems to me this is around the wrong way around and doesn't match anyway. or am i missing something?
So in theory this is meant to block ecp to users who might change personal details, members of groups they own or wipe their own phone which got stolen. Where as we allow admins full access to change smtp routing, any policy they want, disable access to all other admins...
- JGCumulonimbus
OK, as I understand it from the link above, MS recommends that access to "/ecp" be restricted to from the internal network by way of disabling the service but setting it up on a different IP address for access from the internal network only.
Now, in what way has this to do with F5 in your deployment?
Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group? Yes, restrict EAC access by group membership
seems to me this is around the wrong way around and doesn't match anyway. or am i missing something?
So in theory this is meant to block ecp to users who might change personal details, members of groups they own or wipe their own phone which got stolen. Where as we allow admins full access to change smtp routing, any policy they want, disable access to all other admins... What I can't understand is when and why would I want to do that?
Surely it would make more sense to block ECP access to Admins via the the APM and iapp and allow normal users access.
- JGCumulonimbus
I see. Our deployment here is to allow all through (per business request). So I don't see the bit about APM's group membership checking in our configurations.
Going through the code of the iapp myself though, I can see that "/ecp/default.aspx" is the landing page. I can't find a string match of "ExchClientVer" anywhere.
I also see this:
"Because you are deploying the BIG-IP APM, you can restrict Exchange Administration Center (EAC) access to members of Exchange 2013's Organizational Management group. The BIG-IP APM module queries Active Directory group membership and the BIG-IP APM policy allows or denies access based on membership."
Anyway, there seems to be 2 things here: 1) The APM acl function does not work (not matching a certain string); and 2) it seems pointless to have this function from your perspective.
So what do we want to do?
That's the one :)
I've changed the EAC URI branch rules and added "OR Landing URI is /ecp/?ExchClientVer=15" and changed the successful "Allow" to a Deny
Users won't hit the ?ExchClientVer=15 appears they only use the /ecp/ URI
no luck with that config
- JGCumulonimbus
Will you share the text of that rule?
- JGCumulonimbus
It seems to me the "EAC URI" should check "/ecp/default.aspx" only, and if AD query (of security group membership I presume) is successful the access should be allowed, instead of denied, which should be the case of the fallback.
And you might want to enable traceing to see what is really going on. See K13384: Performing a web applications trace (11.x - 12.x).