Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 740
Reply with quote  #1 
https://technet.microsoft.com/en-us/library/jj218639(v=exchg.160).aspx

This seems just the silliest thing ever, ever, ever.

Quote:

In Exchange Server 2016, the Exchange admin center is the primary management interface for Exchange. For more information, see Exchange admin center in Exchange 2016. By default, access to the EAC isn't restricted, and access to Outlook on the web (formally known as Outlook Web App) on an on an Internet-facing Exchange server also gives access to the EAC. You still need valid credentials to sign in to the EAC, but organizations may want to restrict access to the EAC for client connections from the Internet.

In Exchange 2016, the EAC virtual directory is named ECP, and is managed by the *-ECPVirtualDirectory cmdlets. When you set the AdminEnabledparameter to the value $false on the EAC virtual directory, you disable access to the EAC for internal and external client connections, without affecting access to the Settings > Options page in Outlook on the web.

Options menu location in Outlook on the web

But, this configuration introduces a new problem: access to the EAC is completely disabled on the server, even for administrators on the internal network. To fix this issue, you have two choices:

  • Configure a second Exchange 2016 server that's only accessible from the internal network to handle internal EAC connections.

  • On the existing Exchange 2016, create a new Internet Information Services (IIS) web site with new virtual directories for the EAC and Outlook on the web that's only accessible from the internal network.

    Note: You need to configure the EAC and Outlook Web App in the new web site, because the EAC requires the Outlook Web App authentication module from the same web site.



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 176
Reply with quote  #2 
Well, I know many sites who have separate OWA vDirs for external and internal access *anyway* so for those, this setting is a step forward in overall security. For the others... well, how difficult can it be to create another web site?
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 740
Reply with quote  #3 
All grand until the next patch happens.
And the next
And the automatic patches kill it all together.

Surely an easy turn on, turn off option should have been in it. I thought the notion was secure comuting.

Maybe I'm just getting old and cranky or maybe not.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 176
Reply with quote  #4 
Sorry, but I fail to see how patching relates more to a second or a third vDir than it does to the first and, in that case, only one. And a parameter you can pass to a cmdlet is an easy turn on, turn off option. The whole point is, however, that the turn on option should not be accessible via the user interface itself [wink]
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 740
Reply with quote  #5 
Fair enough.

But lets just say I was **************** shocked that ECP was available on the internet
Never noticed/ was quite busy before on deployments.

Sad that the simple solutions don't work.
IIS IP and Domain restrictions.
Adding a mad address /ecp-my-mad-address-for-ecp-for-the-cranky-old-irish-guy



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Wes

Senior Member
Registered:
Posts: 189
Reply with quote  #6 
It's always been that way. We just set up Duo 2 factor and require it for all admin accounts. It's available for free if you don't need any of the fancy features.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: