RPC over HTTPS and Exchange 2003

Building configuration...
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password bleep encrypted
passwd bleep encrypted
hostname plato
domain-name nuh-uh
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
name devnet
name corpnet
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host xxx.xxx.xx.254 eq smtp
access-list 101 permit tcp any host xxx.xxx.xx.254 eq ssh
access-list 101 permit tcp any host xxx.xxx.xx.253 eq https
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
access-list mbi_splitTunnelAcl permit ip corpnet any
access-list mbi_splitTunnelAcl permit ip devnet any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xx.226
ip address inside
ip address dmz1
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location inside
pdm location devnet inside
pdm location inside
pdm location dmz1
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.227-xxx.xxx.xx.247 netmask
global (outside) 1 xxx.xxx.xx.248 netmask
global (dmz1) 1 netmask
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (dmz1) 1 0 0
static (dmz1,inside) xxx.xxx.xx.254 netmask 0 0
static (dmz1,outside) xxx.xxx.xx.254 netmask 0 0
static (inside,outside) xxx.xxx.xx.253 netmask 0 0
access-group 101 in interface outside
rip inside default version 2
route outside 1
route inside devnet 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host ah-ah-ah timeout 10
aaa-server LOCAL protocol local
ntp server source inside prefer
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside /firewall
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mbi address-pool vpnpool
vpngroup mbi dns-server
vpngroup mbi wins-server
vpngroup mbi default-domain foo.foo.foo.foo.foo
vpngroup mbi split-tunnel mbi_splitTunnelAcl
vpngroup mbi idle-time 1800
vpngroup mbi password ********
telnet timeout 5
ssh inside
ssh inside
ssh timeout 5
console timeout 20
terminal width 80
: end


The above works like a charm outside of this network for allowing port 443 access to our Exchange Server 2003 (OWA).  Not crazy about the hole down the center of my firewall but I'm not going to:

a.  Put the exchange server on the DMZ
b.  Buy another server and put a 'front-end' server on the DMZ

So OWA over SSL this way will have to do.  I am in fact going to run a postfix/spam assasin box in the dmz as a gateway so this setup should be not bad for a 30 person company. (IMO)

Now here is my quandry.  Users connect to the Exchange Box via an inside address on this side of the firewall, and the Exchange server does other things too, changing it's internal address is not an option.  Users on the outside of firewall use an internet address to access OWA (the ISP is so new I havent transfered our domain yet).

How the heck to I do this whiz-bang 'go where-ever' and get access to your email from outlook?  Do the remote users point to the 'external address' of the exchange server even on the inside of the firewall?  I've noticed that I can't connect to the outside address of the exchange server (the (inside,outside) static statement) from inside the firewall, I imagine the firewall gets confused by the request to static because I'm trying to initiate a connection from the same subnet as the exchange server only using it's public address (how dumb is that, thank you so much MS =P )

Any ideas?

Who is Participating?
Tim HolmanConnect With a Mentor Commented:
Tim HolmanCommented:
If this is your exchange server NAT rule, then putting the 'dns' keyword in will mean that interal users who access mail.mycompany.com, which resolves to an external address (xxx.xxx.xxx.253), will get DNS rewritten to point mail.mycompany.com to the inner address,

static (inside,outside) xxx.xxx.xx.253 dns netmask 0 0

Should do the trick !!  ;)
Tim HolmanCommented:
Don't forget to run these afterwards:

clear xlate
clear arp
wr mem
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

MBIstephenAuthor Commented:

unfortunately our domain is at another ISP for now, I can't 'test' this I don't have A record for the address...so I take it there is no way to simply use the address not a name to do this?
Tim HolmanCommented:
You can test with just an IP address like this by telnetting to port 25.


MBIstephenAuthor Commented:
hmm...I appreciate the responses but maybe I'm not being clear..

smtp is a different issue...I'm trying to figure out what my mobile users should do to be able to get in email in thier outlook client no matter where they are.

Right now the connect to the Exchange Server via the internal name/address...owa works from a web browser.

According to Microsoft, outlook will use rpc over http to provide 'seamless' connection to your inbox from outlook from the internet.  What is not really that clear is how they want you to implement this (well, they do tell you to use the ISA 'web site publishing' wizard).

Before I tell everyone with a laptop to change thier exchange server entry to something other than an internal server, I have to verify that it works.  Right now, you can't access OWA using the external address from inside of the firewall.  Not sure what telnetting into port 25 does to prove the concept that you can connect to exchange via outlook no matter where you are...
I have a similar configuration in my pix firewall but I cannot connect to my exchange server with OL2003 to EX2003 with https over rpc. Do I have to have a front end server? Right now my exchange server is terminating the connection. It works inside just not from the outside in.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.