With the change from a MMC based administration model (Exchange 2010) to a web based administration model in Exchange 2013/2016, Microsoft created an overlap between the options page in OWA (which is the ECP virtual directory in 2010) and the administration page in Exchange 2013 and 2016. The issue becomes the exposure of the Exchange Admin Center to the Internet via this ECP virtual directory. For some companies this is considered a security issue and requires that this virtual directory be blocked. However, in blocking the directory OWA functionality becomes limited due to the inaccessible Options page.
What Can Be Done?
Luckily, Microsoft did write up a blog post to cover this particular need:
Configuring Multiple OWA/ECP Virtual Directories on the Exchange 2013 Client Access Server Role
The problem lies in its execution and the usual case of human error.
What Was the Problem?
I had this exact issue come up when I was assisting a client I work with on an irregular basis. They had a separate Admin page configured but it was not working. Reviewing the Microsoft best practices for this page, I noticed a few irregularities:
- Files missing from the virtual directories
- URLs were assigned to the virtual directories (which were not needed)
- Authentication was incorrect as well
Now, in order to resolve the issue, the extra website would have to be removed. Then, by following Microsoft’s article, we were able to successfully recreate the extra website. This allowed us to remove the Exchange Admin Center (EAC) option from the default ECP site:
Get-EcpVirtualDirectory -Server <Exchange Server> | ft AdminEnabled -Auto
Set-EcpVirtualDirectory -server Ex01 -AdminEnabled $False
Make sure to heed the warning that IIS needs to be restarted with the change:
WARNING: It will take 5 minutes for these configuration changes to take effect. If you want the changes to take effect immediately, restart Internet Information Services (IIS) on all back-end servers. To restart IIS, run the following command: “iisreset /noforce”.
Now we have am alternate directory set just for the EAC and the normal ECP is no longer exposed as the EAC to the Internet.