In Exchange Server 2016, the Exchange admin center is the primary management interface for Exchange. For more information, see Exchange admin center in Exchange 2016. By default, access to the EAC isn't restricted, and access to Outlook on the web (formally known as Outlook Web App) on an on an Internet-facing Exchange server also gives access to the EAC. You still need valid credentials to sign in to the EAC, but organizations may want to restrict access to the EAC for client connections from the Internet.
In Exchange 2016, the EAC virtual directory is named ECP, and is managed by the *-ECPVirtualDirectory cmdlets. When you set the AdminEnabledparameter to the value
$false on the EAC virtual directory, you disable access to the EAC for internal and external client connections, without affecting access to the Settings > Options page in Outlook on the web.
But, this configuration introduces a new problem: access to the EAC is completely disabled on the server, even for administrators on the internal network. To fix this issue, you have two choices:
Configure a second Exchange 2016 server that's only accessible from the internal network to handle internal EAC connections.
On the existing Exchange 2016, create a new Internet Information Services (IIS) web site with new virtual directories for the EAC and Outlook on the web that's only accessible from the internal network.
Note: You need to configure the EAC and Outlook Web App in the new web site, because the EAC requires the Outlook Web App authentication module from the same web site.