URL: */ecp/?ExchClientVer=15 does not match URI Check: /ecp/default.aspx My testing shows that this allows external access for Admins.

Of course they don't match. What is this about and what are you trying to achieve? Some more info would help.

Disable external access to the ECP for Admins who are members of the Exchange Organization Management Security Group? as per ms "organizations may want to restrict access to the EAC for client connections from the Internet" https://technet.microsoft.com/en-us/library/jj218639%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396 Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group? Yes, restrict EAC access by group membership seems to me this is around the wrong way around and doesn't match anyway. or am i missing something? So in theory this is meant to block ecp to users who might change personal details, members of groups they own or wipe their own phone which got stolen. Where as we allow admins full access to change smtp routing, any policy they want, disable access to all other admins...

OK, as I understand it from the link above, MS recommends that access to "/ecp" be restricted to from the internal network by way of disabling the service but setting it up on a different IP address for access from the internal network only. Now, in what way has this to do with F5 in your deployment?

Should BIG-IP APM restrict EAC access to members of the Exchange Organization Management Security Group? Yes, restrict EAC access by group membership seems to me this is around the wrong way around and doesn't match anyway. or am i missing something? So in theory this is meant to block ecp to users who might change personal details, members of groups they own or wipe their own phone which got stolen. Where as we allow admins full access to change smtp routing, any policy they want, disable access to all other admins... What I can't understand is when and why would I want to do that? Surely it would make more sense to block ECP access to Admins via the the APM and iapp and allow normal users access.

I see. Our deployment here is to allow all through (per business request). So I don't see the bit about APM's group membership checking in our configurations. Going through the code of the iapp myself though, I can see that "/ecp/default.aspx" is the landing page. I can't find a string match of "ExchClientVer" anywhere. I also see this: "Because you are deploying the BIG-IP APM, you can restrict Exchange Administration Center (EAC) access to members of Exchange 2013's Organizational Management group. The BIG-IP APM module queries Active Directory group membership and the BIG-IP APM policy allows or denies access based on membership." Anyway, there seems to be 2 things here: 1) The APM acl function does not work (not matching a certain string); and 2) it seems pointless to have this function from your perspective. So what do we want to do?

EAC Restrict Access does not work for Exchange 2016 via iApp

16 Replies

Joshua_Bines_12

Cirrus

Jan 25, 2017

Added a new irule, I was hoping to display this page after the user is authenticated via the apm. Any thought's?

Thanks in advance. Josh

priority 899
when HTTP_REQUEST {
        switch -glob -- [string tolower [HTTP::path]] {
        "/ecp*" {
             Respond with a splash page with redirection.
            HTTP::respond 200 content {
              
                 
                    External ECP Access Disabled
                 
                 
                    External Exchange Control Pannel (ECP)
                    We are sorry, for security reasons external ECP access is disabled. 
                    To return click 
                 
              
                }   
            }

    }

}

Cumulonimbus

Jan 25, 2017

priority 899
when HTTP_REQUEST {
     Bar admin access:
    if { [HTTP::uri] starts_with "/ecp/?ExchClientVer=15" } {
        HTTP::respond 403 content {
            
               
                  External ECP Access Disabled
               
               
                  External Exchange Control Pannel (ECP)
                  We are sorry, for security reasons external ECP access is disabled.
                  To return click 
               
            
        } "Content-Type" "text/html" Connection close
    } 
}

[Edited]

Joshua_Bines_12
Cirrus
Jan 29, 2017
Hi Guys,

Any comments on the EAC function of the iapp? as per the below 2 points. Are we looking at updating the deployment guide and iapp at some point or are we missing something?

"Anyway, there seems to be 2 things here: 1) The APM acl function does not work (not matching a certain string); and 2) it seems pointless to have this function from your perspective."

Joshua_Bines_12

Cirrus

Mar 08, 2017

priority 899
when HTTP_REQUEST {
     Bar admin access:
    if { [string tolower [HTTP::uri]] starts_with "/ecp/?exch" } {
     Bar access from everybody:
    if { [HTTP::uri] starts_with "/ecp" } {
        HTTP::respond 403 content {
            
               
                  External ECP Access Disabled
               
               
                  External Exchange Control Pannel (ECP)
                  We are sorry, for security reasons external ECP access is disabled.
                  To return click 
               
            
        } "Content-Type" "text/html" Connection close
    } 
}

JG
Cumulonimbus
Mar 08, 2017
Well, you may well add the "string tolower" bit, but I should think such a URL ought to be case-sensitive. I never tested it though.
Joshua_Bines_12
Cirrus
Mar 08, 2017
Thanks for the reply. From our testing, it showed that if you used "ecp/?exchclientver=15" or "ECP/?ExchClientVer=15" the irule would not match and grant users access.

Once all our mailboxes have been migrated to exchange 2016 we will bar all external users to the ecp directory

Forum Discussion

EAC Restrict Access does not work for Exchange 2016 via iApp

16 Replies

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

Irule for restricting access

Restrict Access to Exchange Administrative Center - Enhanced

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Restricting access to a virtual server by Public IP address should access through only domain name.