Inbound web-site filtering

SOLVED
deesloop
Here to help

Inbound web-site filtering

Looking for some help please?

I have a NAT rule that forward https on a specific IP to my exchange box for activesync. Works fine

I want to prevent external access to oulook anywhere and the admin pages of exchange.

Reseller advises me way to work is add a firewall block on https://domain.co.uk/ecp and https://domain.co.uk/rpc 

However I still get access and I think it's cos of the NAT rule. Does it not unconditionally forward?

 

Is it possible to do what I want, and if so can you advise  how?

 

Thanks

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Because it is encrypted you can not do this on the MX.

 

I think ecp is used for setting "Out of office" messages.  So if you block that then that particular functionality of Outlook will stop working for remote users.  To the best of my knwoledge, rpc is unused.

 

The best way to block access to these would be on the Exchange server.  Configure IIS to place an IP address restriction on the virtual directories to where ever you want to allow access from.

 

 

Note that on Office 365 these ecp is remotely accessible ...

View solution in original post

2 REPLIES 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Because it is encrypted you can not do this on the MX.

 

I think ecp is used for setting "Out of office" messages.  So if you block that then that particular functionality of Outlook will stop working for remote users.  To the best of my knwoledge, rpc is unused.

 

The best way to block access to these would be on the Exchange server.  Configure IIS to place an IP address restriction on the virtual directories to where ever you want to allow access from.

 

 

Note that on Office 365 these ecp is remotely accessible ...

That's a real shame. I get one story from Exchange folk and one from the meraki installer.

 

Thanks for clarifying

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels