Solved

RPC over HTTPS and Exchange 2003

Posted on 2004-04-29
7
458 Views
Last Modified: 2010-04-08
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password bleep encrypted
passwd bleep encrypted
hostname plato
domain-name nuh-uh
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 172.16.10.0 devnet
name 172.16.0.0 corpnet
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host xxx.xxx.xx.254 eq smtp
access-list 101 permit tcp any host xxx.xxx.xx.254 eq ssh
access-list 101 permit tcp any host xxx.xxx.xx.253 eq https
access-list inside_outbound_nat0_acl permit ip any 172.16.100.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 172.16.100.0 255.255.255.192
access-list mbi_splitTunnelAcl permit ip corpnet 255.255.255.0 any
access-list mbi_splitTunnelAcl permit ip devnet 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xx.226 255.255.255.224
ip address inside 172.16.0.2 255.255.255.0
ip address dmz1 172.16.20.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.100.10-172.16.100.60
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 172.16.0.200 255.255.255.255 inside
pdm location devnet 255.255.255.0 inside
pdm location 172.16.0.3 255.255.255.255 inside
pdm location 172.16.20.4 255.255.255.255 dmz1
pdm location 172.16.0.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.227-xxx.xxx.xx.247 netmask 255.255.255.224
global (outside) 1 xxx.xxx.xx.248 netmask 255.255.255.224
global (dmz1) 1 172.16.20.10-172.16.20.40 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,inside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.253 172.16.0.4 netmask 255.255.255.255 0 0
access-group 101 in interface outside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 206.173.51.225 1
route inside devnet 255.255.255.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.0.3 ah-ah-ah timeout 10
aaa-server LOCAL protocol local
ntp server 172.16.0.3 source inside prefer
http server enable
http 172.16.0.3 255.255.255.255 inside
http 172.16.0.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.3 /firewall
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mbi address-pool vpnpool
vpngroup mbi dns-server 172.16.0.3 172.16.0.4
vpngroup mbi wins-server 172.16.0.3 172.16.0.4
vpngroup mbi default-domain foo.foo.foo.foo.foo
vpngroup mbi split-tunnel mbi_splitTunnelAcl
vpngroup mbi idle-time 1800
vpngroup mbi password ********
telnet timeout 5
ssh 172.16.0.3 255.255.255.255 inside
ssh 172.16.0.200 255.255.255.255 inside
ssh timeout 5
console timeout 20
terminal width 80
Cryptochecksum:6ba2db3d8572b7bd90c469fa57ff8332
: end
[OK]

*************

The above works like a charm outside of this network for allowing port 443 access to our Exchange Server 2003 (OWA).  Not crazy about the hole down the center of my firewall but I'm not going to:

a.  Put the exchange server on the DMZ
b.  Buy another server and put a 'front-end' server on the DMZ

So OWA over SSL this way will have to do.  I am in fact going to run a postfix/spam assasin box in the dmz as a gateway so this setup should be not bad for a 30 person company. (IMO)

Now here is my quandry.  Users connect to the Exchange Box via an inside address on this side of the firewall, and the Exchange server does other things too, changing it's internal address is not an option.  Users on the outside of firewall use an internet address to access OWA (the ISP is so new I havent transfered our domain yet).

How the heck to I do this whiz-bang 'go where-ever' and get access to your email from outlook?  Do the remote users point to the 'external address' of the exchange server even on the inside of the firewall?  I've noticed that I can't connect to the outside address of the exchange server (the (inside,outside) static statement) from inside the firewall, I imagine the firewall gets confused by the request to static because I'm trying to initiate a connection from the same subnet as the exchange server only using it's public address (how dumb is that, thank you so much MS =P )

Any ideas?

0
Comment
Question by:MBIstephen
  • 4
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958027
If this is your exchange server NAT rule, then putting the 'dns' keyword in will mean that interal users who access mail.mycompany.com, which resolves to an external address (xxx.xxx.xxx.253), will get DNS rewritten to point mail.mycompany.com to the inner address, 172.16.0.4.

static (inside,outside) xxx.xxx.xx.253 172.16.0.4 dns netmask 255.255.255.255 0 0

Should do the trick !!  ;)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958118
Don't forget to run these afterwards:

clear xlate
clear arp
wr mem
0
 

Author Comment

by:MBIstephen
ID: 10961132
ah...

unfortunately our domain is at another ISP for now, I can't 'test' this I don't have A record for the address...so I take it there is no way to simply use the address not a name to do this?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10961433
You can test with just an IP address like this by telnetting to port 25.

http://support.microsoft.com:80/support/kb/articles/Q153/1/19.asp&NoWebContent=1

0
 

Author Comment

by:MBIstephen
ID: 10963458
hmm...I appreciate the responses but maybe I'm not being clear..

smtp is a different issue...I'm trying to figure out what my mobile users should do to be able to get in email in thier outlook client no matter where they are.

Right now the connect to the Exchange Server via the internal name/address...owa works from a web browser.

According to Microsoft, outlook will use rpc over http to provide 'seamless' connection to your inbox from outlook from the internet.  What is not really that clear is how they want you to implement this (well, they do tell you to use the ISA 'web site publishing' wizard).

Before I tell everyone with a laptop to change thier exchange server entry to something other than an internal server, I have to verify that it works.  Right now, you can't access OWA using the external address from inside of the firewall.  Not sure what telnetting into port 25 does to prove the concept that you can connect to exchange via outlook no matter where you are...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10966716
0
 

Expert Comment

by:xloveusa
ID: 12248309
I have a similar configuration in my pix firewall but I cannot connect to my exchange server with OL2003 to EX2003 with https over rpc. Do I have to have a front end server? Right now my exchange server is terminating the connection. It works inside just not from the outside in.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now