Blog: Exchange 2016

In most of our Exchange environments, we'll have port 443 open to the outside for ActiveSync and Outlook Anywhere. When you do that, you'll also open up OWA and ECP to the outside. If you'd like to keep access for ActiveSync and Outlook Anywhere open but would like to block OWA and ECP you can follow the steps below.

There are a few ways to block OWA and ECP to external addresses, but the best method is probably to use the IP and Domain Restrictions feature in IIS. This feature isn't available by default, so you'll have to install it.
To install it, open Server Manager, select Add Roles and Features. In the Add Roles and Features Wizard, under Server Roles, expand Web Server (IIS), then expand Web Server, and then expand Security. Then click the checkbox for IP and Domain Restrictions.

Once that installs, open IIS, expand Default Web Site and click on the OWA Virtual Directory. You'll now see the IP Address and Domain Restrictions feature available.

When you open that feature you can add an Allow Restriction Rule or a Deny Restriction Rule. My suggestion would be to add the subnets you would like to be able to access OWA and ECP (internally and externally) and then change the default behavior for unspecified clients to Deny.

To add an entire subnet as an allowed subnet, click Add Allow Entry, and then in the Rule settings enter the IP info. You can add an individual IP, a range, or a subnet.

To change the default behavior for unspecified clients, click Edit Feature Settings and set Access for unspecified clients to Deny.

Repeat the same steps on the ECP virtual directory. Once that has been completed restart the IIS service (iisreset) to apply the changes.


I recently built a new VM with Windows Server 2016 and installed Exchange Server 2016. As part of hardening the server, I implemented our normal security header and cipher suite hardening steps. The Exchange Control Panel (ECP) appeared to function properly after these changes were implemented, but about a week later I found an issue where one of the less commonly used pages would not open. The page would not load the style sheets and you could not navigate to the page when using the FQDN from the local server. The page mostly worked when accessing it via https://localhost/ecp or from the FQDN outside the network.

During troubleshooting, I decided to remove the security headers to see if that would resolve the issue and it did. I determined that adding the X-Content-Type-Options security header broke some pages in ECP. The only option for X-Content-Type-Options is "nosniff", so there is no alternate value to set. Basically, the Exchange style sheets aren't specifying the content in the style sheets and "nosniffs" tells the browser not to guess the MIME types. I implemented all of the other common security headers, but did not implement X-Content-Type-Options.


I recently built new Exchange 2016 servers for a customer and needed to move all of the users' mailboxes to the new servers. When I initially issued the moved requests, the migrations were running about 10Mbps and only moving about 5 mailboxes at a time. There were about 700 users and 1.5TB of email, so obviously this was going to take a very long time I began researching how to increase the speed of mailbox migrations and found several settings that could be changed. Disabling content indexing allowed the migration to occur between 150Mbps and 200Mbps.

  • Disable content indexing on the target database
    • Set-MailboxDatabase "DatabaseName" -IndexEnabled:$False
      • Wait a few minutes for the content index to be disabled.
      • Verify content indexing is disabled by running Get-MailboxDatabaseCopyStatus
    • After mailboxes are migrated, the content index will need to be rebuilt
      • Set-MailboxDatabase "DatabaseName" -IndexEnabled:$True
      • Invoke-Command -ComputerName GES-EXCH1 {Stop-Service MSExchangeFastSearch; Stop-Service HostControllerService}
      • Delete old content index file from mailbox database folder
      • Invoke-Command -ComputerName GES-EXCH1 {Start-Service MSExchangeFastSearch; Start-Service HostControllerService}
      • Verify content indexing is enabled by running Get-MailboxDatabaseCopyStatus
        • Mail will need to be reindexed, so the status will be Crawling
  • Change the number of mailboxes that can be migrated at one time
    • Edit C:\Program Files\Microsoft\Exchange Server\V15\Bin\MsExchangeMailboxReplication.exe.config
    • Set the MaxActiveMovesPerSource and Target, and MaxActiveJobsPerSource and Target to desired values
    • Restart the Microsoft Exchange Mailbox Migration service
  • Create a new throttling policy

Resource: BitTitan Article - How do I disable the throttling policy on Exchange?