4. Configuring Exchange Admin Center
You can configure Exchange Admin Center for single-server and
multiserver environments. In a single-server environment, you use one
Client Access server for all of your remote management needs. In a
multiple-server environment, you can instruct administrators to use
different URLs to access different Client Access servers, or you can
use Client Access arrays with multiple, load-balanced servers and give
all administrators the same access URL.
Real World
If you have multiple Client Access servers in the same Active
Directory site, you put them all in the same single CAS array, and then
you point to the CAS array. Note that the load balancing performed by
the array is automatically for RPC Client Access only. You need to use
some other means to load balance the HTTPS requests against the array.
Note
You can use Exchange Admin Center with firewalls. You configure your
network to use a perimeter network with firewalls in front of the
designated Client Access servers and then open port 443 to the IP
addresses of your Client Access servers. If Secure Sockets Layer (SSL)
is enabled and you want to use SSL exclusively, you only need port 443,
and you don’t need to open port 80.
You can manage the Exchange Admin Center application using Internet
Information Services (IIS) Manager or Exchange Management Shell. The
related commands for Exchange Management Shell are as follows:
-
Get-ECPVirtualDirectory
. Displays information about the ECP application
running on the Web server providing services for Exchange. By default
only front-end virtual directories are listed. Add
-ShowMailboxVirtualDirectories to also display the back-end virtual
directories.
Get-ECPVirtualDirectory [-Identity AppName]
[-ADPropertiesOnly <$true | $false>]
[-ShowMailboxVirtualDirectories <$true | $false>]
[-DomainController DomainControllerName]
Get-ECPVirtualDirectory -Server ExchangeServerName
[-ADPropertiesOnly <$true | $false>]
[-ShowMailboxVirtualDirectories <$true | $false>]
[-DomainController DomainControllerName]
-
New-ECPVirtualDirectory
. Creates
a new ECP application running on the Web server providing services for
Exchange. You should use this command only for troubleshooting
scenarios where you are required to remove and re-create the ECP
virtual directory.
New-ECPVirtualDirectory [-AppPoolId AppPoolName]
[-DomainController DomainControllerName] [-ExternalUrl URL]
[-InternalUrl URL] [-WebSiteName SiteName]
-
Remove-ECPVirtualDirectory
. Use the Remove-ECPVirtualDirectory cmdlet to remove a specified ECP application providing services for Exchange.
Remove-ECPVirtualDirectory -Identity AppName
[-DomainController DomainControllerName]
-
Set-ECPVirtualDirectory
. Modifies the configuration settings for a specified
ECP application providing services for Exchange. Set -AdminEnabled to
$false to turn off Internet access to the Exchange Admin Center.
Set-ECPVirtualDirectory -Identity AppName
[-AdminEnabled <$true | $false>]
[-BasicAuthentication <$true | $false>] [-DomainController
DomainControllerName] [-ExternalAuthenticationMethods Methods]
[-DigestAuthentication <$true | $false>]
[-FormsAuthentication <$true | $false>]
[-ExternalUrl URL] [-GzipLevel <Off | Low | High | Error>]
[-InternalUrl URL] [-LiveIdAuthentication <$true | $false>]
[-WindowsAuthentication <$true | $false>]
-
Test-ECPConnectivity
. Displays information about the ECP application running on the Web server providing services for Exchange.
Test-ECPConnectivity [-ClientAccessServer ServerName]
[-MailboxServer ServerName] [-DomainController DomainControllerName]
[-RTSEndPoint EndPointID] [-TestType <Internal | External>]
[-MonitoringContext <$true | $false>]
[-ResetTestAccountCredentials <$true | $false>]
[-Timeout NumSeconds] [-TrustAnySSLCertificate <$true | $false>]
[-VirtualDirectoryName DirectoryName]
At the Exchange Management Shell prompt, you can confirm the location of the Exchange Admin Center application by typing get-ecpvirtualdirectory.
Get-ECPVirtualDirectory
lists the name of the application, the associated website, and the
server on which the application is running, as shown in the following
example:
Name Server
------- -------
ecp (Default Web Site) MailServer18
In this example, a standard configuration is being used, on which
the application named ECP is running on the Default Web Site on
MailServer18. You can use Set-ECPVirtualDirectory to specify the
internal and external URL to use as well as the permitted
authentication types. Authentication types you can enable or disable
include basic authentication, Windows authentication, and Live ID basic
authentication. You can use New-ECPVirtualDirectory to create or
re-create an ECP application on a Web server providing services for
Exchange and Remove-ECPVirtualDirectory to remove an ECP application.
You can verify that Exchange Admin Center is working properly using
Test-ECPConnectivity.
The PowerShell application has a similar set of commands. In
Exchange Management Shell, the related commands are
New-PowerShellVirtualDirectory, Get-PowerShellVirtualDirectory,
Set-PowerShellVirtualDirectory, and Test-PowerShellConnectivity. If you
enter Get-PowerShellVirtualDirectory | Format-List,
you’ll get configuration details for each Client Access server in the
Exchange organization. You can use SetPowerShellVirtualDirectory to
enable or disable authentication mechanisms, including basic
authentication, certificate authentication, Live ID basic
authentication, Live ID NTLM negotiate authentication, and Windows
authentication. You can also specify the internal and external URLs for
the PowerShell virtual directory on a per-server basis. By default,
servers have only internal URLs for PowerShell. For troubleshooting
issues related to the PowerShell virtual directory, enter Test-PowerShellConnectivity followed by the URL to test, such as https://mailer1.cpandl.com/powershell.
You’ll also find commands for working with virtual directories related to:
-
Outlook Web Access, including New-OwaVirtualDirectory,
Get-OwaVirtualDirectory, Set-OwaVirtualDirectory, and
Remove-OwaVirtualDirectory
-
Offline Address Books, including New-OabVirtualDirectory,
Get-OabVirtualDirectory, Set-OabVirtualDirectory, and
Remove-OabVirtualDirectory
-
Autodiscover, including New-AutodiscoverVirtualDirectory,
Get-AutodiscoverVirtualDirectory, Set-AutodiscoverVirtualDirectory, and
Remove-AutodiscoverVirtualDirectory
Keep in mind that there are separate but interconnected virtual
directories on both Client Access servers and Mailbox servers.
Typically, front-end virtual directories are used for authentication
and proxying while back-end virtual directories are used for actual
processing. Although the front-end and back-end virtual directories
have different components and configurations, the Exchange cmdlets for
creating these virtual directories are designed to configure the
appropriate settings and components for either front-end or back-end
use as appropriate.
When an Exchange server has both the Client Access server and the
Mailbox server role, you should specify explicitly whether you want to
work with the front-end or back-end components. You do this by
specifying the related website name. The Default Web Site is used by
the front-end components and the Exchange Back End website is used by
back-end components.
