Exchange 2013 EAC – Turn Off Internet Access

MS Exchange

With Exchange 2013 administration moving to browser based, you can manage your Exchange 2013 environment from anywhere in the world, provided that they are published. How can we switch off access from outside the corporate network?

You can manage your 2013 environment with EAC internally by navigating to https://casserver/ecp or https://loadbalancedurl/ecp if you have an NLB or load balancer in place. Your external webmail url (https://mail.domain.com) can be used to access the EAC (with /ecp) from outside the corporate network.

You may have a valid reason to turn off access to EAC from outside the internal network and the good thing is that it can be turned off, without affecting your OWA or OWA Options. By default, the EAC access from outside the network is enabled.

EAC Access turned on by default

You can turn it off by setting the AdminEnabled parameter of the ECP virtual directory to false.

Turn off EAC Access from outside

It will take few minutes for Exchange to pickup the change. You can always run an iisreset to force the change. If you try accessing the EAC from outside now, you will receive a 404- website not found error, but your OWA and Options will continue to work.

Other Popular Articles


MS Exchange

Keep Track Of Exchange 2013 Database Failovers

MS Exchange

Playing With Exchange 2013 Performance Logs

MS Exchange

Tackle .Net Framework 4.6.1 On Exchange Servers

17 thoughts on “Exchange 2013 EAC – Turn Off Internet Access”

  1. Hey Guys, Please assist. I installed exchange 2013 but I cannot access EAC. Get the error below:

    Server Error in ‘/owa’ Application.
    ________________________________________
    MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
    Diagnostic context:
    Lid: 41192 dwParam: 0x1
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x2
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x0
    Lid: 49064 dwParam: 0x1
    Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
    Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
    Lid: 53361 StoreEc: 0x476
    Lid: 51859
    Lid: 33649 StoreEc: 0x476
    Lid: 43315
    Lid: 58225 StoreEc: 0x476
    Lid: 39912 StoreEc: 0x476
    Lid: 54129 StoreEc: 0x476
    Lid: 50519
    Lid: 59735 StoreEc: 0x476
    Lid: 59199
    Lid: 27356 StoreEc: 0x476
    Lid: 65279
    Lid: 52465 StoreEc: 0x476
    Lid: 60065
    Lid: 33777 StoreEc: 0x476
    Lid: 59805
    Lid: 52487 StoreEc: 0x476
    Lid: 19778
    Lid: 27970 StoreEc: 0x476
    Lid: 17730
    Lid: 25922 StoreEc: 0x476
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: Microsoft.Mapi.MapiExceptionMdbOffline: MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
    Diagnostic context:
    Lid: 41192 dwParam: 0x1
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x2
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x0
    Lid: 49064 dwParam: 0x1
    Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
    Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
    Lid: 53361 StoreEc: 0x476
    Lid: 51859
    Lid: 33649 StoreEc: 0x476
    Lid: 43315
    Lid: 58225 StoreEc: 0x476
    Lid: 39912 StoreEc: 0x476
    Lid: 54129 StoreEc: 0x476
    Lid: 50519
    Lid: 59735 StoreEc: 0x476
    Lid: 59199
    Lid: 27356 StoreEc: 0x476
    Lid: 65279
    Lid: 52465 StoreEc: 0x476
    Lid: 60065
    Lid: 33777 StoreEc: 0x476
    Lid: 59805
    Lid: 52487 StoreEc: 0x476
    Lid: 19778
    Lid: 27970 StoreEc: 0x476
    Lid: 17730
    Lid: 25922 StoreEc: 0x476

    Source Error:
    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:
    [MapiExceptionMdbOffline: MapiExceptionMdbOffline: Unable to make connection to the server. (hr=0x80004005, ec=1142)
    Diagnostic context:
    Lid: 41192 dwParam: 0x1
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x2
    Lid: 49384
    Lid: 51176 StoreEc: 0x476
    Lid: 48104
    Lid: 39912 StoreEc: 0x476
    Lid: 41192 dwParam: 0x0
    Lid: 49064 dwParam: 0x1
    Lid: 38439 EMSMDBPOOL.EcPoolConnect called [length=48]
    Lid: 54823 EMSMDBPOOL.EcPoolConnect returned [ec=0x476][length=20][latency=2]
    Lid: 53361 StoreEc: 0x476
    Lid: 51859
    Lid: 33649 StoreEc: 0x476
    Lid: 43315
    Lid: 58225 StoreEc: 0x476
    Lid: 39912 StoreEc: 0x476
    Lid: 54129 StoreEc: 0x476
    Lid: 50519
    Lid: 59735 StoreEc: 0x476
    Lid: 59199
    Lid: 27356 StoreEc: 0x476
    Lid: 65279
    Lid: 52465 StoreEc: 0x476
    Lid: 60065
    Lid: 33777 StoreEc: 0x476
    Lid: 59805
    Lid: 52487 StoreEc: 0x476
    Lid: 19778
    Lid: 27970 StoreEc: 0x476
    Lid: 17730
    Lid: 25922 StoreEc: 0x476 ]
    Microsoft.Mapi.MapiExceptionHelper.InternalThrowIfErrorOrWarning(String message, Int32 hresult, Boolean allowWarnings, Int32 ec, DiagnosticContext diagCtx, Exception innerException) +61
    Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, IExInterface iUnknown, Exception innerException) +91
    Microsoft.Mapi.ExRpcConnectionFactory.Create(ExRpcConnectionInfo connectionInfo) +1210
    Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout, Byte[] tenantHint) +1857
    Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore) +23073

    [MailboxOfflineException: Cannot open mailbox /o=Reitumetse/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=0e7e106625474653aa18afd9318835c4-Administrator.]
    Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore) +51774
    Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity) +4354
    Microsoft.Exchange.Data.Storage.c__DisplayClass16.b__14(MailboxSession mailboxSession) +220
    Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegatedUser, CultureInfo cultureInfo, String clientInfoString, IBudget budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure) +2333
    Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IBudget budget) +1022
    Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IBudget budget) +1198
    Microsoft.Exchange.Data.Storage.MailboxSession.Open(ExchangePrincipal mailboxOwner, ClientSecurityContext clientSecurityContext, CultureInfo cultureInfo, String clientInfoString) +188
    Microsoft.Exchange.Clients.Owa2.Server.Core.OwaClientSecurityContextIdentity.CreateMailboxSession(ExchangePrincipal exchangePrincipal, CultureInfo cultureInfo) +533
    Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.HandleLanguagePost(RequestContext requestContext, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized, String destination) +647
    Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.DispatchIfLanguagePost(RequestContext requestContext) +642
    Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.InternalDispatchRequest(RequestContext requestContext) +620
    Microsoft.Exchange.Clients.Owa2.Server.Core.RequestDispatcher.DispatchRequest(RequestContext requestContext) +297
    Microsoft.Exchange.Clients.Owa2.Server.Core.OwaRequestHandler.OnPostAuthorizeRequest(Object sender, EventArgs e) +352
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

    ________________________________________
    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929

    Reply
  2. Update your post fella, I wondered how this would work as it is a blanket command, I thought what the hell and done it. Lost Admin access, fortunately I was able to revert it quickly. Add another CAS outside your load balancer and turn off admin in your load balanced CAS’s.

    Reply
  3. Hi,
    after disabling the admin Feature on the Default ECP V-Dir, can’t we just create a second ECP Virtual Directory (ExternalURL blank) and leave adminenabled on this one? This URL could be used for internal Administration then. Or would this second ECP Directory affect existing mailboxes?
    Regards
    Marcel

    Reply
  4. PS: Keep in mind that if you restrict ecp using IP and domain restrictions there is also the downside that users cannot use ECP functionality via OWA any more. That includes things like out of office and message rules.

    Reply
    • Completely agree with you Andre. This is poor thought from the product team. Why disable the whole thing for the user, when it also disables OWA options?

      Reply
  5. So, umm … when are you planning on checking and updating the post? I can confirm that disabling ECP admin access completely disables it, not just for external access (which is logical as you turned the feature off). A more sensible solution might be to use IIS IP and domain restrictions to limit access to /ecp to only internal IP’s. Without ECP you have to perform all exchange admin using powershell. All but the most hard-core exchange admins would want to use the ecp at some point or another.

    Reply
  6. lol, you keep saying for months how you will check and update but the fact is that this entire article is misleading. The command turns off Exchange server administrative features entirely, not just from any particular location. I feel bad for all the admins that will try these settings just to be disappointed when you could have just tested (takes three minutes to confirm). Howexchangedoesn’twork.com.

    Reply
    • Hi Michael,

      You are right, it turns off the access complettely which wasn’t MS intention when they came up with it. What is the point turning the whole thing off, when it turns off OWA options for the user.

      Reply
  7. Hello Rajith
    Can you confirm me that this cmdlet disables also EAC from inside ?
    I have tested it, but from inside I have only the administrator mailbox options :(
    Thanks
    Regards

    Reply
      • Hoe do you turn EAC internet access back on after having turned it off.

        I tuned it off with the setting Set-ECPVirtualDirectory .. etc

        But when I try to turn it back on, I get an error

        In addition, I seem to no longer be able to bring up the EAC on the intra as well as the internet.

        Error msg:
        A parameter cannot be found that matches parameter name ‘AdminEnabled’
        + CategoryInfo : InvalidArgument: (:) [Set-EcpVirtualDirectory], ParameterBindingException
        + FullyQualifiedErrorID : NamedParameterNotFound,Set-EcpVirtualDirectory
        + PSComputerName : this has the FQDN name of my 2010 server and not my 2013 server

        Reply

Leave a Comment