Link to home
Start Free TrialLog in
Avatar of kdlange77
kdlange77

asked on

Configuring Cisco Pix Firewall for Exchange 2007 Migration for ActiveSync/OWA...

I have an Exchange 2003/Exchange 2007 domain.  I have migrated my Mailbox and everything works fine for sending and receiving e-mail from either Exchange Server...except OWA from the internet and ActiveSync for my Mobile 6 device.  I have an open case with Microsoft working on the problem and they confirmed that I have OWA working internally and state that I need to configure my firewall to allow ssl or https traffic to be forwarded to my Exchange 2007 server.  Here is my Cisco config and the internal address for my Exchange 2003 server is 192.168.100.31 and for Exchange 2007 it is 192.168.100.6

Can I just reconfigure to send https traffic to the Exchange 2007 server and everything else to my Exchange 2003 server, or will it still work and will I be better off to simply route all my traffic to the Exchange 2007 server first and let the RGC send Exchange 2003 traffic as it needs to?

Thanks!
: Written by enable_15 at 08:45:03.677 UTC Fri Jun 27 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xx-xxxx
domain-name columbia.williamskeepers.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit icmp any any
access-list acl_in deny tcp any host 216.106.93.30 eq netbios-ssn
access-list acl_in deny udp any host 216.106.93.30 eq netbios-ns
access-list acl_in deny tcp any host 216.106.93.30 eq 445
access-list acl_in deny udp any any eq netbios-dgm
access-list acl_in deny udp any any eq domain
access-list acl_in permit ip any host 216.106.93.30
pager lines 24
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.106.93.30 192.168.100.31 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
rip outside default version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 216.106.93.17 1
route inside 192.168.200.0 255.255.255.0 192.168.100.212 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Avatar of LegendZM
LegendZM
Flag of United States of America image

You need to route all your 443 / 80 traffic to your Exchange 2007 only if it has a CAS role installed. If you have the CAS role installed, then you need to have the 443 traffic forward to it, since that is where your OWA resides now.
Avatar of kdlange77
kdlange77

ASKER

Yes, my Exchange 2007 server is defned with the CAS role as I stated it is working fine for everything except OWA externally and ActiveSync.  

I don't mean to be obtuse, but how do I route 443 / 80 traffic to my Exchange 2007 server?  
Do I change this line in my router config to point to my Exchange 2007 IP address, (and route all traffic to it) or do I modify it and point only 443 / 80 traffic to it, and if so how do I do that?
static (inside,outside) 216.106.93.30 192.168.100.31 netmask 255.255.255.255 0 0

I still need my users on the Exchange 2003 server to continue working...
That's right you would change this line:
static (inside,outside) 216.106.93.30 192.168.100.06 netmask 255.255.255.255 0 0

to the new ip 192.168.100.06.

If your old exchange server is not the one receiving mail then it will continue to work for users who have mailboxes on there, you'll need to create a routing group to have it send / receive mail between the 2003 / 2007 server. You'll also need to ensure the Hub role is installed on the Exchange 07 server and configure it to receive mail from *
I changed my configuration to
static (inside,outside) 216.106.93.30 192.168.100.6 netmask 255.255.255.255 0 0
and my Exchange 2007 mailbox worked fine...both sending and receiving internal and external e-mail.  The 2003 mailboxes could only send/receive internal e-mails and OWA and ActiveSync still did not work externally.
So I rerouted it back to the Exchange 2003 server and now the only thing not working is OWA and ActiveSync.  I think I have two problems...

1. The external traffic for OWA and ActiveSync are not making it past my firewall.
2. My RGC between Exchange 2007 and 2003 is not working properly.  When incoming mail is routed to the Exchange 2007 server it does not pass along the 2003 messages, however, wen incoming mail is routed to the Exchange 2003 server first it does pass along the 2007 messages.

I can get the RGC fixed working with Microsoft, but I am not sure why the OWA and ActiveSync traffic would not make it past the firewall...or am I missing something?
Once you upgrade to Exchange 2007, there is no going back, I believe it MUST be the server that handles your Active Sync and OWA requests.

It even has a legacy directory (/exchange) for users who still have a mailbox on an Exchange 2003 Server.
and a /owa  directory for people who access OWA on and have a mailbox on a 2007 server.

for starters with OWA / Active sync open 443 and 80 to your exchange,  

now you just need to set up send / receive connectors (no longer called routing groups on Exchange 2007) to route mail to and from

As far as OWA/Activesync it must be 2007 that is handling those requests now.

Okay for starters...how do I "open 443 and 80 to my exchange"?  I think if I can get that set in my firewall to work right, then I can handle the rest of the connector issues.
Maybe I should start another question on the Cisco forum to get that answer because I don't know what it is...

I had already reviewed the other threads you referred to in your last message before I posted this question.
ASKER CERTIFIED SOLUTION
Avatar of LegendZM
LegendZM
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the help on this issue and the problem was finally resolved by Microsoft and with the above changes to the firewall.

Note...when making changes to a static route, do a Clear Xlate to clear the cache or table in the firewall so traffic is rerouted to the newly assigned internal address.  I called my ISP when I discovered that my traffic was still going to the wrong box and after about 30 minutes we discovered this handy little Cisco Pix command.

The Mail Flow between my Exchange 2007/2003 server was incorrectly configured and I am still not sure what they did to fix it, but it works.
To fix Activesync, we had to remove and re-create the virtual directory for Exchange-Active-Sync on the 2007 server.