Exchange Server Client Access Rules EAC/RemotePowerShell Blocking

author

Hello, in this article Exchange Server We will cover how to block Exchange Admin Center (EAC) and Remote PowerShell access for specific IP addresses or ranges in 2019.

Exchange Server 2019'until, EACThere was no clear method to block access based on IP. Exchange 2019 Some of the features used in cloud environments have been integrated into local (on-premise) environments, allowing access to specific IP addresses or ranges. EAC or Remote PowerShell it is possible to restrict access.

These new features work similarly to the rules found primarily in the Hub Transport service, allowing you to manage who can access based on IP or user attributes.
Article Content Hide
1 What are Client Access Rules?
2 Client Access Rules Components
3 Commands Used for Client Access Rule
4 Checking Client Access Rules
5 Steps to Block/Allow ECP with Client Access Rules
6 Blocking RemotePowerShell with Client Access Rule
7 Changing Proirity with Client Access Rule
8 Listing Active Rules with Client Access Rule
9 Test Steps with Client Access Rules
10 Client Access Rule and Storage Logic
10.1 Similar Articles – Exchange Server Client Access Rules EAC/RemotePowerShell Blocking

What are Client Access Rules?

Client Access Rules (CAR), Exchange Management Shell (EMS) to manage these rules, a graphical user interface (GUI) is not available. The blocks you can make using CAR are as follows:

  • Blocking for a single IP address (Example: 192.168.1.1)
  • Blocking for a specific IP address range (Example: 192.168.1.1 – 192.168.1.50)
  • Blocking based on subnet (Example: 192.168.1.1/24)
To improve overall performance and manage system resources effectively, Microsoft Client Access RulesBecause of this caching mechanism, newly created or updated rules may not be activated immediately. 

The first rule created in an organization can take approximately 24 hours to become active, while changing or removing an existing rule can be completed in approximately one hour.


Client Access Rules Components

  1. Conditions: This component defines which client connections the rule will apply to and forms the basis of the rules. Conditions can be based on criteria such as specific users, IP addresses, or client types.
  2. Exceptions: This component determines the client connections to which the rule should not be applied under certain conditions. Exceptions allow for more flexible and targeted application of rules.
  3. Action: This component defines the actions to be taken if the conditions are met. For example, blocking access to clients from a certain IP range or allowing them to use only certain protocols can be taken.
  4. Priority: This component determines the order in which rules are applied. Each rule is assigned a priority number; the lower the number, the higher the priority of the rule. The system evaluates the rules with lower numbers first, so that priority actions are performed first. By default, the first created rules have the highest priority, but this order can be changed by the administrator according to needs.

Commands Used for Client Access Rule

Here are the PowerShell cmdlets available for managing Client Access Rules:

  • Get-ClientAccessRule: Lists all the existing Client Access Rules. This cmdlet allows you to view all the rules configured on the system so that you can evaluate the existing configurations.
  • New-ClientAccessRule: Allows you to create a new rule. This cmdlet helps you customize system security by allowing you to add new rules with specific conditions and actions.
  • Set-ClientAccessRule: Used to change an existing rule. With this cmdlet you can make changes to existing rules and apply updates.
  • Test-ClientAccessRule: Used to verify that a particular rule is configured correctly and exhibits the desired behavior.
  • Remove-ClientAccessRule: Used to remove an existing rule from the system. This cmdlet is used in the process of cleaning up policies that are no longer required or have been updated.

Checking Client Access Rules

To check the existing rules in your environment, you can first run the following command:

Get-ClientAccessRule
getclientaccessrule

This command lists the rules configured in the system and allows you to check if there are any existing rules. If there are existing rules, you will need to plan the priority number of the new rules to be created according to these existing rules. The priority number is an important factor that determines the order in which the rules are processed.

The rule with the lowest number has the highest priority.

Steps to Block/Allow ECP with Client Access Rules

Using the New-ClientAccessule command, we will grant EAC access to a Subnet that we specify.

New-ClientAccessRule -Name “Block-ECP Servers” -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges 192.168.1.1/24 -Priority 1
image 2 1 1

To explain the parameters on the command we use;

  • Name: The name assigned to the rule is “Block-ECP Servers”. This name was chosen to explain the purpose of the rule.
  • Action: Action of the rule DenyAccess This means that access will be blocked under the specified conditions.
  • AnyOfProtocols: This parameter determines which protocols the rule applies to. Here ExchangeAdminCenter is used, so this rule will only be applied for the EAC protocol.
  • ExceptAnyOfClientIPAddressesOrRanges: This parameter defines the exception IP addresses or ranges to which the rule will not be applied. 192.168.1.1/24 This range, specified as , covers the IP addresses to which the rule will not be applied. That is, devices in this IP range will still be able to access EAC.
  • Priority: Determines the priority of the rule. 1 This value set to indicates that this rule takes precedence over all other rules. That is, this rule will be at the top of the list of rules with higher priority (lower numbers) and will be applied first.

Need to turn off ECP using IIS on Exchange Server, you can follow the article below.

https://cengizyilmaz.net/exchange-server-ecp-kapatma/

Blocking RemotePowerShell with Client Access Rule

Following the access restrictions we implemented on EAC, we took our security measures one step further Remote PowerShell We will also limit access. For this process, we will use Client Access Rule to allow access to a specific IP address range while blocking access from others.

New-ClientAccessRule -Name "Block-PowerShell" -Action DenyAccess -AnyOfProtocols RemotePowerShell -ExceptAnyOfClientIPAddressesOrRanges 10.190.65.1/24 -Priority 2

The above command defines a global access ban for the Remote PowerShell protocol, but excludes the IP address range 10.190.65.1/24 from this ban. We assigned the number '2' as the priority.

Changing Proirity with Client Access Rule

In our Block-PowerShell rule, we configured the Priority value as 2 and in the Block-ECP Servers rule, we configured the Priority value as 1. Now let's change the Proirity value of the Block-PowerShell rule and check if we need to update the priority of the EAC rule.

Set-ClientAccessRule -Identity "Block-PowerShell" -Priority 1

To see the details of our changed rule;

Get-ClientAccessRule -Identity "Block-ECP Servers" | FL Name,Priority,Enabled,Scope
image 7 1

The rule we created for EAC was automatically updated to Priority 2, so we do not need to change the Priority in all our rules.

Listing Active Rules with Client Access Rule

After the installation process is complete, we can list the Client Access rules that are active in our Exchange Server environment. We can use the following PowerShell command for this review process:

Get-ClientAccessRule
image 8 1

Test Steps with Client Access Rules

In order to verify the effectiveness of the ECP access rule we created, Microsoft provided by Test-ClientAccessRule We are planning a test operation using the cmdlet.

Test-ClientAccessRule -RemoteAddress 192.168.2.30 -RemotePort 443 -Protocol ExchangeAdminCenter -User Administrator -AuthenticationType BasicAuthentication
image 9 1

This test process is performed using the IP address 192.168.2.30 from a device to ECP (Exchange Admin Center) via port 443 BasicAuthentication Simulates an access attempt using the . Administrator tests whether this access is possible for the user. The test result shows whether the rule we specified works as expected.

Client Access Rule and Storage Logic

Exchange ServiceAs in r configurations, Client Access Rules (CAR) da Active DirectoryAs part of ADSI (Active Directory Service Interfaces) These rules are stored in the structure of Active Directory, especially “Client Access RulesIt is stored under the object named ”.

image 4 2

Conclusion: Client Access Rules (CAR) in Exchange Server gives administrators the power to restrict users’ access to Exchange services such as EAC, Remote PowerShell. These rules can be applied based on specific parameters such as IP addresses or user attributes. Centrally storing configurations on ADSI makes the management process secure and efficient. These features increase the security of your Exchange environment, reduce the administrative workload and improve the overall performance of your IT infrastructure.

Similar Articles – Exchange Server Client Access Rules EAC/RemotePowerShell Blocking

3 thoughts on “Exchange Server Client Access Rules EAC/RemotePowerShell Blocking”

  1. Trackback: “Can't remove the domain 'domain.com' because it's referenced in an email address policy by the proxy address template” - Cengiz YILMAZ
  2. Trackback: Exchange Server ECP Shutdown - Cengiz YILMAZ
  3. Trackback: How to Enable Active Directory Recycle Bin?

Comment

© 2025 Cengiz YILMAZ
Privacy PolicyTermsContact