This is an updated version of the iRule to restrict access to the Exchange Administrative Center (EAC) for Exchange 2013 to certain IPs. Our issue was that we still needed aspects of OWA to be available externally for our users and they share the same URI with the EAC. We created an address list (exchange_2013_eac_trusted_addresses) for the IPs and subnets we wanted to allow as well as a string list for the URIs that needed to be accessible for end users (exchange_2013_eac_trusted_uri)
String List - exchange_2013_eac_trusted_uri
/ecp/customize/calendardiagnosticlog
/ecp/mygroups
/ecp/personalsettings
/ecp/ruleseditor
/ecp/sms
/ecp/teammailbox
/ecp/troubleshooting
Code :
when HTTP_REQUEST {
if { [HTTP::uri] contains "/ecp" } {
set response "EAC Access DeniedWe are sorry, but access to the Exchange
Administration Center is restricted to approved client IP addresses. Your IP address is not approved."
if { [HTTP::header exists "Referer"] } {
if { [HTTP::header "Referer"] contains "rfr=owa" } {
pool exchange_2013_owa_pool7
}
} elseif { [class match [IP::client_addr] equals "exchange_2013_eac_trusted_addresses"]} {
pool exchange_2013_owa_pool7
} elseif { [class match [string tolower [HTTP::uri]] starts_with "exchange_2013_eac_trusted_uri"] } {
pool exchange_2013_owa_pool7
} else {
HTTP::respond 200 content $response
}
unset response
}
}
