Jump to content
Welcome to our new Citrix community!

Restrict external access to Exchange Admin Center

Recommended Posts



We use Netscaler to load balance Exchange Webmail. Now when a user is browsing to webmail.domain.com/ecp and logs in with an admin user (even with no mailbox) the Exchange Admin center can be accessed, so this is externally available and a potential security issue since our webmail has no 2FA.


Is there any way I can use Netscaler to restrict access to this and make it unavailable?



Link to comment
Share on other sites

Depending on whether you need to allow some or no access to the /ecp service would affect this.

If you just want to block all external access to /ecp but still allow it internally, then a responder policy could filter:

Based on any users whose source IP is not an internal subnet or if the traffic is coming from a specific entry point like gateway or vpn.


http.req.url.path.get(1).set_text_mode(ignorecase).eq("ecp") && !(client.ip.in_subnet(<internal network>)

Use the responder policy to drop or redirect ECP and !<internal>

Or if content switching, just bind the filter to the ecp lb vserver and you don't need the path test.


It just depends on the complexity of what you want to allow and deny.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...