Solved

RPC over HTTPS and Exchange 2003

Posted on 2004-04-29
7
470 Views
Last Modified: 2010-04-08
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password bleep encrypted
passwd bleep encrypted
hostname plato
domain-name nuh-uh
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 172.16.10.0 devnet
name 172.16.0.0 corpnet
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host xxx.xxx.xx.254 eq smtp
access-list 101 permit tcp any host xxx.xxx.xx.254 eq ssh
access-list 101 permit tcp any host xxx.xxx.xx.253 eq https
access-list inside_outbound_nat0_acl permit ip any 172.16.100.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 172.16.100.0 255.255.255.192
access-list mbi_splitTunnelAcl permit ip corpnet 255.255.255.0 any
access-list mbi_splitTunnelAcl permit ip devnet 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xx.226 255.255.255.224
ip address inside 172.16.0.2 255.255.255.0
ip address dmz1 172.16.20.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.100.10-172.16.100.60
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 172.16.0.200 255.255.255.255 inside
pdm location devnet 255.255.255.0 inside
pdm location 172.16.0.3 255.255.255.255 inside
pdm location 172.16.20.4 255.255.255.255 dmz1
pdm location 172.16.0.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.227-xxx.xxx.xx.247 netmask 255.255.255.224
global (outside) 1 xxx.xxx.xx.248 netmask 255.255.255.224
global (dmz1) 1 172.16.20.10-172.16.20.40 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,inside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xx.254 172.16.20.4 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.253 172.16.0.4 netmask 255.255.255.255 0 0
access-group 101 in interface outside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 206.173.51.225 1
route inside devnet 255.255.255.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.0.3 ah-ah-ah timeout 10
aaa-server LOCAL protocol local
ntp server 172.16.0.3 source inside prefer
http server enable
http 172.16.0.3 255.255.255.255 inside
http 172.16.0.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.16.0.3 /firewall
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mbi address-pool vpnpool
vpngroup mbi dns-server 172.16.0.3 172.16.0.4
vpngroup mbi wins-server 172.16.0.3 172.16.0.4
vpngroup mbi default-domain foo.foo.foo.foo.foo
vpngroup mbi split-tunnel mbi_splitTunnelAcl
vpngroup mbi idle-time 1800
vpngroup mbi password ********
telnet timeout 5
ssh 172.16.0.3 255.255.255.255 inside
ssh 172.16.0.200 255.255.255.255 inside
ssh timeout 5
console timeout 20
terminal width 80
Cryptochecksum:6ba2db3d8572b7bd90c469fa57ff8332
: end
[OK]

*************

The above works like a charm outside of this network for allowing port 443 access to our Exchange Server 2003 (OWA).  Not crazy about the hole down the center of my firewall but I'm not going to:

a.  Put the exchange server on the DMZ
b.  Buy another server and put a 'front-end' server on the DMZ

So OWA over SSL this way will have to do.  I am in fact going to run a postfix/spam assasin box in the dmz as a gateway so this setup should be not bad for a 30 person company. (IMO)

Now here is my quandry.  Users connect to the Exchange Box via an inside address on this side of the firewall, and the Exchange server does other things too, changing it's internal address is not an option.  Users on the outside of firewall use an internet address to access OWA (the ISP is so new I havent transfered our domain yet).

How the heck to I do this whiz-bang 'go where-ever' and get access to your email from outlook?  Do the remote users point to the 'external address' of the exchange server even on the inside of the firewall?  I've noticed that I can't connect to the outside address of the exchange server (the (inside,outside) static statement) from inside the firewall, I imagine the firewall gets confused by the request to static because I'm trying to initiate a connection from the same subnet as the exchange server only using it's public address (how dumb is that, thank you so much MS =P )

Any ideas?

0
Comment
Question by:MBIstephen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958027
If this is your exchange server NAT rule, then putting the 'dns' keyword in will mean that interal users who access mail.mycompany.com, which resolves to an external address (xxx.xxx.xxx.253), will get DNS rewritten to point mail.mycompany.com to the inner address, 172.16.0.4.

static (inside,outside) xxx.xxx.xx.253 172.16.0.4 dns netmask 255.255.255.255 0 0

Should do the trick !!  ;)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10958118
Don't forget to run these afterwards:

clear xlate
clear arp
wr mem
0
 

Author Comment

by:MBIstephen
ID: 10961132
ah...

unfortunately our domain is at another ISP for now, I can't 'test' this I don't have A record for the address...so I take it there is no way to simply use the address not a name to do this?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10961433
You can test with just an IP address like this by telnetting to port 25.

http://support.microsoft.com:80/support/kb/articles/Q153/1/19.asp&NoWebContent=1

0
 

Author Comment

by:MBIstephen
ID: 10963458
hmm...I appreciate the responses but maybe I'm not being clear..

smtp is a different issue...I'm trying to figure out what my mobile users should do to be able to get in email in thier outlook client no matter where they are.

Right now the connect to the Exchange Server via the internal name/address...owa works from a web browser.

According to Microsoft, outlook will use rpc over http to provide 'seamless' connection to your inbox from outlook from the internet.  What is not really that clear is how they want you to implement this (well, they do tell you to use the ISA 'web site publishing' wizard).

Before I tell everyone with a laptop to change thier exchange server entry to something other than an internal server, I have to verify that it works.  Right now, you can't access OWA using the external address from inside of the firewall.  Not sure what telnetting into port 25 does to prove the concept that you can connect to exchange via outlook no matter where you are...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10966716
0
 

Expert Comment

by:xloveusa
ID: 12248309
I have a similar configuration in my pix firewall but I cannot connect to my exchange server with OL2003 to EX2003 with https over rpc. Do I have to have a front end server? Right now my exchange server is terminating the connection. It works inside just not from the outside in.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question