With Exchange 2013 administration moving to browser based, you can manage your Exchange 2013 environment from anywhere in the world, provided that they are published. How can we switch off access from outside the corporate network?
You can manage your 2013 environment with EAC internally by navigating to https://casserver/ecp or https://loadbalancedurl/ecp if you have an NLB or load balancer in place. Your external webmail url (https://mail.domain.com) can be used to access the EAC (with /ecp) from outside the corporate network.
You may have a valid reason to turn off access to EAC from outside the internal network and the good thing is that it can be turned off, without affecting your OWA or OWA Options. By default, the EAC access from outside the network is enabled.
You can turn it off by setting the AdminEnabled parameter of the ECP virtual directory to false.
It will take few minutes for Exchange to pickup the change. You can always run an iisreset to force the change. If you try accessing the EAC from outside now, you will receive a 404- website not found error, but your OWA and Options will continue to work.
Hey Guys, Please assist. I installed exchange 2013 but I cannot access EAC. Get the error below:
Server Error in ‘/owa’ Application.
________________________________________
MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
Diagnostic context:
Lid: 41192 dwParam: 0x1
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x2
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x0
Lid: 49064 dwParam: 0x1
Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
Lid: 53361 StoreEc: 0x476
Lid: 51859
Lid: 33649 StoreEc: 0x476
Lid: 43315
Lid: 58225 StoreEc: 0x476
Lid: 39912 StoreEc: 0x476
Lid: 54129 StoreEc: 0x476
Lid: 50519
Lid: 59735 StoreEc: 0x476
Lid: 59199
Lid: 27356 StoreEc: 0x476
Lid: 65279
Lid: 52465 StoreEc: 0x476
Lid: 60065
Lid: 33777 StoreEc: 0x476
Lid: 59805
Lid: 52487 StoreEc: 0x476
Lid: 19778
Lid: 27970 StoreEc: 0x476
Lid: 17730
Lid: 25922 StoreEc: 0x476
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Mapi.MapiExceptionMdbOffline: MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
Diagnostic context:
Lid: 41192 dwParam: 0x1
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x2
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x0
Lid: 49064 dwParam: 0x1
Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
Lid: 53361 StoreEc: 0x476
Lid: 51859
Lid: 33649 StoreEc: 0x476
Lid: 43315
Lid: 58225 StoreEc: 0x476
Lid: 39912 StoreEc: 0x476
Lid: 54129 StoreEc: 0x476
Lid: 50519
Lid: 59735 StoreEc: 0x476
Lid: 59199
Lid: 27356 StoreEc: 0x476
Lid: 65279
Lid: 52465 StoreEc: 0x476
Lid: 60065
Lid: 33777 StoreEc: 0x476
Lid: 59805
Lid: 52487 StoreEc: 0x476
Lid: 19778
Lid: 27970 StoreEc: 0x476
Lid: 17730
Lid: 25922 StoreEc: 0x476
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[MapiExceptionMdbOffline: MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
Diagnostic context:
Lid: 41192 dwParam: 0x1
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x2
Lid: 49384
Lid: 51176 StoreEc: 0x476
Lid: 48104
Lid: 39912 StoreEc: 0x476
Lid: 41192 dwParam: 0x0
Lid: 49064 dwParam: 0x1
Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
Lid: 53361 StoreEc: 0x476
Lid: 51859
Lid: 33649 StoreEc: 0x476
Lid: 43315
Lid: 58225 StoreEc: 0x476
Lid: 39912 StoreEc: 0x476
Lid: 54129 StoreEc: 0x476
Lid: 50519
Lid: 59735 StoreEc: 0x476
Lid: 59199
Lid: 27356 StoreEc: 0x476
Lid: 65279
Lid: 52465 StoreEc: 0x476
Lid: 60065
Lid: 33777 StoreEc: 0x476
Lid: 59805
Lid: 52487 StoreEc: 0x476
Lid: 19778
Lid: 27970 StoreEc: 0x476
Lid: 17730
Lid: 25922 StoreEc: 0x476 ]
Microsoft.Mapi.MapiExceptionHelper.InternalThrowIfErrorOrWarning(String message, Int32 hresult, Boolean allowWarnings, Int32 ec, DiagnosticContext diagCtx, Exception innerException) +61
Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, IExInterface iUnknown, Exception innerException) +91
Microsoft.Mapi.ExRpcConnectionFactory.Create(ExRpcConnectionInfo connectionInfo) +1210
Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout, Byte[] tenantHint) +1857
Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore) +23073
[MailboxOfflineException: Cannot open mailbox /o=Reitumetse/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=0e7e106625474653aa18afd9318835c4-Administrator.]
Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore) +51774
Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity) +4354
Microsoft.Exchange.Data.Storage.c__DisplayClass16.b__14(MailboxSession mailboxSession) +220
Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegatedUser, CultureInfo cultureInfo, String clientInfoString, IBudget budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure) +2333
Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IBudget budget) +1022
Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IBudget budget) +1198
Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, ClientSecurityContext clientSecurityContext, CultureInfo cultureInfo, String clientInfoString) +188
Microsoft.Exchange.Clients.Owa2.Server.Core.OwaClientSecurityContextIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo) +533
Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.HandleLanguagePost(RequestContext requestContext, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized, String destination) +647
Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.DispatchIfLanguagePost(RequestContext requestContext) +642
Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.InternalDispatchRequest(RequestContext requestContext) +620
Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.DispatchRequest(RequestContext requestContext) +297
Microsoft.Exchange.Clients.Owa2.Server.Core.OwaRequestHandler.OnPostAuthorizeRequest(Object sender, EventArgs e) +352
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
________________________________________
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929
Update your post fella, I wondered how this would work as it is a blanket command, I thought what the hell and done it. Lost Admin access, fortunately I was able to revert it quickly. Add another CAS outside your load balancer and turn off admin in your load balanced CAS’s.
Hi,
after disabling the admin Feature on the Default ECP V-Dir, can’t we just create a second ECP Virtual Directory (ExternalURL blank) and leave adminenabled on this one? This URL could be used for internal Administration then. Or would this second ECP Directory affect existing mailboxes?
Regards
Marcel
Hi,
For the records: Yes, it disables complete EAC access.
What you should consider for your design, is not providing EAC access on internet accessible CAS servers.
Use an internal CAS for management.
Regards,
Seb
sources: http://technet.microsoft.com/en-us/library/jj218639%28v=exchg.150%29.aspx
Please update post, as your method will also disable ECP from Internally, not just Externally..Thanks
Thanks David.
That is something that has been going on for a while. Will update soon.
PS: Keep in mind that if you restrict ecp using IP and domain restrictions there is also the downside that users cannot use ECP functionality via OWA any more. That includes things like out of office and message rules.
Completely agree with you Andre. This is poor thought from the product team. Why disable the whole thing for the user, when it also disables OWA options?
So, umm … when are you planning on checking and updating the post? I can confirm that disabling ECP admin access completely disables it, not just for external access (which is logical as you turned the feature off). A more sensible solution might be to use IIS IP and domain restrictions to limit access to /ecp to only internal IP’s. Without ECP you have to perform all exchange admin using powershell. All but the most hard-core exchange admins would want to use the ecp at some point or another.
lol, you keep saying for months how you will check and update but the fact is that this entire article is misleading. The command turns off Exchange server administrative features entirely, not just from any particular location. I feel bad for all the admins that will try these settings just to be disappointed when you could have just tested (takes three minutes to confirm). Howexchangedoesn’twork.com.
Hi Michael,
You are right, it turns off the access complettely which wasn’t MS intention when they came up with it. What is the point turning the whole thing off, when it turns off OWA options for the user.
rajith
hi i m getting same issue , cmdlet disables both external and internal !
please advise
thanks and regards
Hi AP,
Will check and update the post.
Hello Rajith
Can you confirm me that this cmdlet disables also EAC from inside ?
I have tested it, but from inside I have only the administrator mailbox options :(
Thanks
Regards
Will test and confirm Hakim.
Hoe do you turn EAC internet access back on after having turned it off.
I tuned it off with the setting Set-ECPVirtualDirectory .. etc
But when I try to turn it back on, I get an error
In addition, I seem to no longer be able to bring up the EAC on the intra as well as the internet.
Error msg:
A parameter cannot be found that matches parameter name ‘AdminEnabled’
+ CategoryInfo : InvalidArgument: (:) [Set-EcpVirtualDirectory], ParameterBindingException
+ FullyQualifiedErrorID : NamedParameterNotFound,Set-EcpVirtualDirectory
+ PSComputerName : this has the FQDN name of my 2010 server and not my 2013 server
Will check Robert and update the post.