Securing the Exchange Control Panel using Netscaler Application Firewall
For this Blogpost I assume that you are already Load Balancing your Exchange Servers by using the NetScaler. If not you can find here a great Deployment Guide by Citrix. In my Lab Environment I also use Content Switching. So eventually you have to adjust the Virtual Server where you will bind your Application Firewall Policy to. Let´s start!
Navigate to Security -> Application Firewall -> Profiles
Here we will create a new Application Firewall Profile. Enter a Profile Name as you like and click “Create”.
Double Click that new created Profile and switch to the Security Checks Tab. Again Double Click Deny URL. Add a new Deny URL and enter the following Syntax: “^[^?]*/ecp” without quotes and mark the “Enabled” Check Box. In the General Tab enable at least the Block Check Box. Press OK.
Within the “Configure Web Application Firewall Profile” Window switch to the Settings Tab. You can specify here what will happen if /ecp will be accessed. In my setup i decided to redirect the Person to my Blog. Obviously you can create a HTML Website and upload it to the NetScaler.
After we successfully created a Profile we have to create a Policy and bind the Profile to Policy. To do this we switch to the Menu Security -> Application Firewall -> Policies -> Firewall. Here we click “Add”. Choose an appropriate name for the Policy. After that select the created Profile from the Dropdown Menu and as an expression simply enter “true”. Press OK.
To finish the setup we have to bind the Profile to an vServer, Content Switch vServer or Globally. In my Lab I decided to apply this Policy to the Content Switch vServer. We do this by starting the Application Firewall Policy Manager. You will find this Tool under Security -> Application Firewall -> Application Firewall Policy Manager. Switch to the Tab “CS Virtual Server”. Double Click your Content Switch vServer and insert your Policy. Click Apply Change and you are done. You can now start to test your newly created Application Firewall and try to access the Exchange Control Panel.