Deactivation of Extended Protection in CU14 update for Exchange Server 2019

Applies to version: 2023 R3 and above; author: Łukasz Maciaszkiewicz

Introduction

With the release of the 14^th cumulative update (CU14) for Microsoft Exchange Server 2019, there has been a revision in the approach to the Extended Protection feature. As a result, the feature, previously optional in earlier update packages, is now automatically enabled by default during installation of this update in GUI mode.

This article describes the issues encountered by users of the WEBCON BPS platform which arise from the activation of the Extended Protection feature upon installing the CU14 update. Furthermore, it demonstrates how to disable this function during installation in unattended mode, as well as discusses its deactivation in scenarios where it has already been enabled.

Extended Protection and connectivity issues

The Extended Protection feature adds an additional layer of protection by requiring stronger client authentication and securing client-server communication. However, activating this feature can lead to a number of connection issues in specific scenarios, such as environments utilizing SSL offloading, or situations where the public folder hierarchy is hosted on an Exchange server with the CU11 update installed. The detailed description of all such scenarios is available here. 

Compromised access to WEBCON BPS functionalities

For the WEBCON BPS platform, enabling the Extended Protection function results in blocking connection with the Exchange Web Services (EWS) interface. In practical terms, this translates into the paralysis of certain popular functionalities, such as HotMailBoxes or MailApproval, as well as the inability to execute actions within the Exchange group (Exchange events, Exchange tasks, and Out of office autoreply). Hence, compromised access to these functionalities can present a significant challenge for many WEBCON BPS users.

Disabling the Extended Protection function

Although the Extended Protection function is enabled by default during the installation of the CU14 update, it is still possible to deactivate it. This can be done both during the installation (which is recommended) and at a later stage (if the function had already been enabled during the installation). Below, you will find possible solutions that enable full enjoyment of the WEBCON BPS functionalities with the installed CU14 update.

• Recommended solution: disable Extended Protection for Front-End EWS virtual directory when installing the CU14 update in unattended mode

Please note that the inability to deactivate the Extended Protection function only applies to the update installation in GUI mode, i.e., using the graphical user interface. However, this is not the only method for executing such an installation. The solution is provided by the unattended mode. In this case, the installation is conducted using the command line interface in administrative mode or through the Exchange Management Shell console, following the procedure below:

1. check if your environment meets the update requirements;
2. download the ISO image of the update files from Microsoft website available here
3. mount the image;
4. run the command line interface or Exchange Management Shell, and navigate to the disk containing the mounted image;
5. run the Setup.exe with the /DoNotEnableEP_FEEWS parameter (or alternatively /DoNotEnableEP);
6. The installation will be carried out within the command line interface (or Exchange Management Shell) with the Extended Protection function disabled.

• Contingency solution: disable Extended Protection activated during the CU14 installation

If the CU14 update has already been installed with the Extended Protection function activated, it is still possible to disable it at a later stage. This can be accomplished by utilizing a dedicated script provided by Microsoft and executing it within the Exchange Management Shell console. To leverage this opportunity, you must be assigned to the Organization Management role group in Exchange Server 2019 and adhere to the procedure described below:

1. download the ExchangeExtendedProtectionManagement script available here;
2. launch the Exchange Management Shell console with elevated privileges;
3. retrieve all the IP addresses for which it is possible to restrict access to the virtual directory by entering the following command in the console:

 .ExchangeExtendedProtectionManagement.ps1 -FindExchangeServerIPAddresses -OutputFilePath "C:tempExchangeIPs.txt"

4. using the syntax below, disable Extended Protection for the EWS backend virtual directory:

.ExchangeExtendedProtectionManagement.ps1 -RestrictType "EWSBackend" -IPRangeFilePath "C:tempExchangeIPs.txt";

5. cose the Exchange Management Shell console and proceed to restart the operating system.

Additional information about the script can be found in the article published by Microsoft on its GitHub platform at this address. The information within it also includes additional commands and parameters that can be used in conjunction with the script.

Summary

The presented solutions enable WEBCON BPS users to utilize the newest features provided within the CU14 update without risking the loss of access to certain functionalities. Users planning such an update are also encouraged to familiarize themselves with additional materials and articles referenced in this document.