Solved

RPC over HTTPS and Exchange 2003

Posted on 2004-04-29
7
460 Views
Last Modified: 2010-04-08
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password bleep encrypted
passwd bleep encrypted
hostname plato
domain-name nuh-uh
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 172.16.10.0 devnet
name 172.16.0.0 corpnet
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host xxx.xxx.xx.254 eq smtp
access-list 101 permit tcp any host xxx.xxx.xx.254 eq ssh
access-list 101 permit tcp any host xxx.xxx.xx.253 eq https
access-list inside_outbound_nat0_acl permit ip any 172.16.100.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 172.16.100.0 255.255.255.192
access-list mbi_splitTunnelAcl permit ip corpnet 255.255.255.0 any
access-list mbi_splitTunnelAcl permit ip devnet 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xx.226 255.255.255.224
ip address inside 172.16.0.2 255.255.255.0
ip address dmz1 172.16.20.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.100.10-172.16.100.60
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 172.16.0.200 255.255.255.255 inside
pdm location devnet 255.255.255.0 inside
pdm location 172.16.0.3 255.255.255.255 inside
pdm location 172.16.20.4 255.255.255.255 dmz1
pdm location 172.16.0.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.227-xxx.xxx.xx.247 netmask 255.255.255.224
global (outside) 1 xxx.xxx.xx.248 netmask 255.255.255.224
global (dmz1) 1 172.16.20.10-172.16.20.40 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,inside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.253 172.16.0.4 netmask 255.255.255.255 0 0
access-group 101 in interface outside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 206.173.51.225 1
route inside devnet 255.255.255.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.0.3 ah-ah-ah timeout 10
aaa-server LOCAL protocol local
ntp server 172.16.0.3 source inside prefer
http server enable
http 172.16.0.3 255.255.255.255 inside
http 172.16.0.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.3 /firewall
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mbi address-pool vpnpool
vpngroup mbi dns-server 172.16.0.3 172.16.0.4
vpngroup mbi wins-server 172.16.0.3 172.16.0.4
vpngroup mbi default-domain foo.foo.foo.foo.foo
vpngroup mbi split-tunnel mbi_splitTunnelAcl
vpngroup mbi idle-time 1800
vpngroup mbi password ********
telnet timeout 5
ssh 172.16.0.3 255.255.255.255 inside
ssh 172.16.0.200 255.255.255.255 inside
ssh timeout 5
console timeout 20
terminal width 80
Cryptochecksum:6ba2db3d8572b7bd90c469fa57ff8332
: end
[OK]

*************

The above works like a charm outside of this network for allowing port 443 access to our Exchange Server 2003 (OWA).  Not crazy about the hole down the center of my firewall but I'm not going to:

a.  Put the exchange server on the DMZ
b.  Buy another server and put a 'front-end' server on the DMZ

So OWA over SSL this way will have to do.  I am in fact going to run a postfix/spam assasin box in the dmz as a gateway so this setup should be not bad for a 30 person company. (IMO)

Now here is my quandry.  Users connect to the Exchange Box via an inside address on this side of the firewall, and the Exchange server does other things too, changing it's internal address is not an option.  Users on the outside of firewall use an internet address to access OWA (the ISP is so new I havent transfered our domain yet).

How the heck to I do this whiz-bang 'go where-ever' and get access to your email from outlook?  Do the remote users point to the 'external address' of the exchange server even on the inside of the firewall?  I've noticed that I can't connect to the outside address of the exchange server (the (inside,outside) static statement) from inside the firewall, I imagine the firewall gets confused by the request to static because I'm trying to initiate a connection from the same subnet as the exchange server only using it's public address (how dumb is that, thank you so much MS =P )

Any ideas?

0
Comment
Question by:MBIstephen
  • 4
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958027
If this is your exchange server NAT rule, then putting the 'dns' keyword in will mean that interal users who access mail.mycompany.com, which resolves to an external address (xxx.xxx.xxx.253), will get DNS rewritten to point mail.mycompany.com to the inner address, 172.16.0.4.

static (inside,outside) xxx.xxx.xx.253 172.16.0.4 dns netmask 255.255.255.255 0 0

Should do the trick !!  ;)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958118
Don't forget to run these afterwards:

clear xlate
clear arp
wr mem
0
 

Author Comment

by:MBIstephen
ID: 10961132
ah...

unfortunately our domain is at another ISP for now, I can't 'test' this I don't have A record for the address...so I take it there is no way to simply use the address not a name to do this?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10961433
You can test with just an IP address like this by telnetting to port 25.

http://support.microsoft.com:80/support/kb/articles/Q153/1/19.asp&NoWebContent=1

0
 

Author Comment

by:MBIstephen
ID: 10963458
hmm...I appreciate the responses but maybe I'm not being clear..

smtp is a different issue...I'm trying to figure out what my mobile users should do to be able to get in email in thier outlook client no matter where they are.

Right now the connect to the Exchange Server via the internal name/address...owa works from a web browser.

According to Microsoft, outlook will use rpc over http to provide 'seamless' connection to your inbox from outlook from the internet.  What is not really that clear is how they want you to implement this (well, they do tell you to use the ISA 'web site publishing' wizard).

Before I tell everyone with a laptop to change thier exchange server entry to something other than an internal server, I have to verify that it works.  Right now, you can't access OWA using the external address from inside of the firewall.  Not sure what telnetting into port 25 does to prove the concept that you can connect to exchange via outlook no matter where you are...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10966716
0
 

Expert Comment

by:xloveusa
ID: 12248309
I have a similar configuration in my pix firewall but I cannot connect to my exchange server with OL2003 to EX2003 with https over rpc. Do I have to have a front end server? Right now my exchange server is terminating the connection. It works inside just not from the outside in.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Protection from Keyloggers, Spywares etc. 20 100
This computer cannot connect to the remote computer 12 169
ASE reports it as spam 2 125
Windows Server Firewall Configuration 2 31
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now