Shulou(Shulou.com)06/02 Report--

A customer recently asked me if Exchange Administration Center (EAC) is the new administration console since Exchange upgraded from 2010 to Exchange 2013. It replaces its predecessor, Exchange Management Console (EMC), which supports managing Exchange 2013 organizations. Because EMC is a Microsoft Management Console (MMC) type of application and EAC is a web-based management console installed on a Client Access Server (CAS) as a virtual directory on IIS, both consoles are unique. The EAC comes with an Exchange Control Panel (ECP) which is an unrestricted network application that can be accessed in real time from various locations on the network (LAN, Internet). Any user with a valid username and password may log in in ways never before possible. When CAS is installed in a perimeter network such as DMZ, this can pose a significant threat, and some *** using blocking passwords can log into ECP via the Internet.

Fortunately, Microsoft has given us a solution to restrict access to ECP without shutting down access to OWA. We can do this by simply following Technet's documentation and trying the following commands:

Set-EcpVirtualDirectory -identity"ecp "-AdminEnabled $ false

As you can see from the screenshot above, if we want it to take effect immediately, we can execute the command "iisreset / noforce".

iisreset / noforce

After the solution is implemented, each attempt to reach the ECP page will end with a "404 page not found" error or redirect the request to the OWA option for administrator account details (see screen below).

However, this solution has one drawback. Although we succeeded in restricting access to ECP from the Internet zone by implementing this feature, we were unable to access ECP from the internal network. In this case, Microsoft recommends that we install a CAS server on our internal network for internal ECP access only. But in my own opinion and that of professional IT colleagues, a better approach would be to install a second website with ECP and OWA virtual directories on top of CAS for the Internet. This is a simpler and faster solution.

To apply this solution, we need to assign a second IP address (usually one IP address) to the server where CAS is installed. This task can be easily accomplished by configuring a new IP address on a second network adapter installed in the CAS server, or assigning a second IP address on an existing network interface. The first approach is primarily deployed by administrators for security policy compliance reasons, whereas the second approach is easier and faster to implement. The following screen illustrates the latter solution:

After assigning IP addresses to CAS, we need to create appropriate records in DNS zones on DNS servers. The names in this record will be used to contact custom ECP virtual directories. More importantly, this record also needs to indicate the IP address configured earlier:

In the next step, we create a folder for the second site under the C: \ Inetpub folder, such as wwwroot2.

When creating a folder, we have to open Internet Information Services (IIS) Manager and build a second website, such as "InternalEAC," pointing to the created folder C: \ inetpub \wwwroot2 and binding to TCP / 80 (HTTP) TCP / 443 (HTTPS) port. The screen below shows the walkthrough.

First, we must remember to bind the new website to the new IP address:

In the following steps, we need to create virtual directories for ECP and OWA under the newly created second Web site. We will solve this problem by executing the following command:

New-EcpVirtualDirectory -Server"" - WebSiteName"InternalEAC"-InternalUrl""New-OwaVirtualDirectory -Server"" - WebSiteName"InternalEAC"-InternalUrl""

After that, we disable access to EAC using the Microsoft solution mentioned earlier. To do this, we simply run the following command:

Set-EcpVirtualDirectory -identity"ecp "-AdminEnabled $ falseiisreset / noforce

Finally, there are only two final steps to go. It restricts access to IP addresses bound to our custom websites, such as internal users or admin admin sites. This will prevent access to our new website from unwanted areas such as peripheral networks or Internet zones.

The final step is to assign the appropriate certificate for SSL purposes to the custom ECP Web site. It can be a third-party certificate (such as an existing wildcard certificate already assigned to the default Web site), a certificate from an internal CA, or a self-signed certificate. In the case of creating a new certificate, we must remember to match the name in the certificate with the name used in the ECP URL.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.