Tuesday, May 21, 2013

Exchange 2013 Admin Center URL’s

You have just installed Exchange 2013 in your Exchange 2007 or 2010 organization. You start a browser to access the Exchange Admin Center, the Exchange GUI admin tool, point the browser to https://servername/ecp and login with an account you know have permission in Exchange but are prompted with an error message.
Reason for this is that the mailbox you try to logon to is not located on Exchange 2013. solution is to move the mailbox to Exchange 2013 mailbox server or change the URL to “https://casservername/ecp?ExchClientVer=15”. This will tell EAC to show the Exchange 15 version of EAC instead of the Exchange 14 version which should be shown because the mailbox is not located on Exchange 15 server.
With the new URL you get into EAC and can start configure your Exchange 2013 server and life is good until you realize that EAC will be reachable from Internet. It will still require authentication, but nevertheless, reachable.
Since you have TMG to publish Exchange with you figure that you can deny access to /ecp URL from Internet but this will unfortunately stop users from accessing the OWA options web.

You find out that there is a parameter “AdminEnabled” on the ECP website to disable EAC. By setting AdminEnabled to False. Sadly this option disable EAC completely and you now only have the Exchange Management Shell to use and most people want a GUI to manage Exchange.

Solution is to create a new website that is not reachable from Internet but only from Internal network. Easiest is to change the listening port on the new website.

here is what you need to do.

# port used for the EAC website
$port = 9443

# create a new folder to host the new website
mkdir C:\EAC

# create a new webiste
New-Website -Name EAC -PhysicalPath C:\EAC -Verbose -Ssl -Port $port -Id $Port –ApplicationPool MSExchangeOWAAppPool

Then you must assign a certificate to the website. This can be done on the bindings option on the newly created EAC website options.

#create FW rule to allow traffic to website
New-NetFirewallRule -Name "EAC website" -Description "Exchange Admin Center website" -DisplayName "EAC website" -Protocol TCP -Profile Any -Action Allow -LocalPort $port

and then create the ECP applications in the EAC website.

$hostname = ([System.Net.Dns]::GetHostByName(($env:computerName))).hostname

$IntUrl = (Get-EcpVirtualDirectory -Server $hostname).InternalUrl.tostring()

# Get path from the original ECP website
$DirPath = (Get-EcpVirtualDirectory -Server $hostname).path

# Create new EAC web
New-EcpVirtualDirectory -WebSiteName EAC -Server $hostname -InternalUrl $IntUrl -Path $DirPath -Role ClientAccess -AppPoolId MSExchangeECPAppPool

# Finally , diable EAC on the default ECP app
Set-EcpVirtualDirectory $hostname\'ecp (default web site)' -AdminEnabled $false

New-ECPVirtualDirectory states that you must create a OWA application also, but I have not encountered any problem by not doing this. The only problem I have when doing this is that browsing in the OU structure in AD when creating new mailboxes don’t work. have tried both with the above settings and also by creating the OWA appl. as suggested but it simplyu don’t work either way.
Simply put the commands in a powershell script and run it from EMS. when done you can access EAC with the new URL “https://casname:9443/ecp”.
Tips: when later changing URL and certificate on your CAS, you should also change them in the EAC website to make everything work correctly.

This is most likely unsupported but I have it running for several months without any problem except for the browsing thing in EAC.


1 comment:

  1. Hi Lasse,

    Nice idea that works great for us as well. Did you ever solve the OU picker bug?

    Thanks a lot