How to allow Exchange Administrative Center only to my internal networks

Hello everyone.
I am currently using free Kemp Load Balancer on my DMZ to balance inbound HTTP/HTTPS and SMTP traffic to 2 Exchange Server 2019 on DAG.
I downloaded the Core services: MAPI, SMTP and Unified HTTP/HTTPS template for my Exchange Server 2019.
Now, I would like to disable Exchange Administrative Center login from outside my networks and leave it enabled only from my internal networks, e.g. 10.10.40.0/22, 192.168.25.0/24, etcetera. 

Could you tell me how to do this configuration?  The version of Kemp I am using is 7.2.59.3.22368.RELEASE

Thank you very much for your help on this.

Best regards,
Gabriel 

 

0

4 comments

Avatar

Andrew Spagnuolo

Official comment

Hello Gabriel,

Do you have separate virtual services for the external and internal traffic, or is everything going through a single virtual service?

If these are separated into different services, and you used the Exchange template with the sub virtual services, you could simply disable the ECP sub vs on the external virtual service.

If everything is handled on the one singular virtual service, you could create a content match rule which matches on any request not from an internal network IP, and fails it. Then apply that rule to the ECP sub virtual service.

You can find an article which goes over how to create a content match rule to match on a subnet and fail it here: https://support.kemptechnologies.com/hc/en-us/articles/200498919-How-to-Content-Match-by-Source-IP

Best Regards,


Avatar

Matias Vilar

I manage everything with a single virtual service. But although I follow your post, it doesn't work for me. I'm trying to login from my IP.
This is my configuration:

 

What could I be missing?

0

Avatar

Rich Kusak

Add the regex open and close character ("/") to the beginning and end of the Match String field.

/^10\.10\.9\.250$/

My management IPs are all in a /24, so I was able to apply a single rule with both Negation and Fail On Match selected. This effectively blocked all IPs not matching my management subnet.

Example of a /24: /^10\.10\.9\.\d+$/

 

0

Avatar

Matias Vilar

Thank you. It is working fine now.

Regards 

Gabriel 

0

Please to leave a comment.

Didn't find what you were looking for?