Solved

Sonicwall Pro100 Configuration

Posted on 2009-05-11
9
796 Views
Last Modified: 2012-05-06
We have been working with Hypercat concerning issues in Exchange 2003.  The solutions, support and information provided by Hypercat have been excellent.  Our project included testing and configuration for Outlook Web Access.  We can access OWA from the local network but not from the Internet.  We believe the issue is relating to a Sonicwall Pro100 device on the network.  

The following instructions were provided by Hypercat:
What you need him to check is whether those two ports are open for incoming as well as outgoing traffic, and whether the incoming traffic on those ports is redirected (i.e., forwarded or NATted) properly to the internal IP address of the SBS server.

If possible, we would like specific instructions on how to review the configuration of the Sonicwall device to determine if ports 80 and 443 are set as mentioned above.  If we determine that the ports are not set, how do we change the configuration?  We did not install this device and do not have experience with this particular model.  We can access our customer's server thru Remote Desktop.
0
Comment
Question by:barnettmnljs
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
You need to check that ports 80 and 443 are set to PERMIT in the WAN to LAN ruleset, with a desination of the Exchange Server and a source of "any".

You also need to make sure you have a NAT mapping between an avaiable public IP address and the internal IP address of the Exchange Server for those ports.

NOTE

If you already have inbound SMTP email working to the ES, and I note you already have RDP working through it, then this tells us that the NAT mapping is already in place, you may just need to extend the scope to include the web ports, then find the Permit rule and add the web ports to that, or make a separate rule if the RDP permit rule is source limited.

In order to give you more detailed instructions I'd need to know what version of SonicOS you  are running, specifically, Standard or Enhanced?

If you can explore and paste in the current contents of NAT and ACCESS RULES menu, that'll make it really easy!!!

0
 
LVL 1

Author Comment

by:barnettmnljs
Comment Utility
Thanks for the reply.  I'm attaching a file that shows screen prints from the Sonicwall.  Please forgive my inexperience, but I have not worked with this type of device and would appreciate reference by tab or section to insure that we are looking at the same item.  Please let me know if the screen prints do not show the information you requested.  The internal address of the server is 192.168.1.10.  The Sonicwall is 192.168.1.1.

Thanks,
Sonicwall100.pdf
0
 
LVL 16

Accepted Solution

by:
ccomley earned 400 total points
Comment Utility
OK, you're on Standard OS which makes for fewer clickings.

And the 1:1 NAT mapping is already in place.

As I surmised, you already have SOME rules in place which refer to this server, e.g. rules 1 through 9 on
page 4 of your printout.

SO all you should need to do is create two more rules, similar but for the port ID.

Create a rule thus

- type = allow
- source = any - WAN
- dest = 192.168.1.10 - LAN
- service = http
- time = any

Then a second rule identical but with

- service = https

and that should be all you need!

WARNING once you have done this you have exposed the web interface of your exchange server to the entire planet. This means you should take SENSIBLE precautions within the server config itself, in particular, you should make sure that ALL accounts have REAL passwords, with letters, digits and even punctuation marks. Simple passwords, e.g. just words, even "spelled funny" words, are too easy for systematic attacks to guess. DO NOT FORGET the administrator account and any other account with login privileges. And disable the GUEST account, if not done already.

If you have the budget you might consider aquiring a Sonicwall SSL-VPN appliance, setting this up inside your firewall, and then removing the above two new rules and add instead the rules required by the Sonic SSLVPN device. Now you tell your OWA users how to access the network via the SSL-VPN system. Which means they can access any browser based service (e.g. OWA!) via a secure encrypted channel, and only that channel needs to traverse the firewall. Much more secure.

0
 
LVL 1

Author Comment

by:barnettmnljs
Comment Utility
Thanks for the reply and detailed procedure.  I want to address the security issue with our customer before testing the new rules.    

I have looked for a Sonicwall manual but no one seems to know where it is located, if they even had one.  Some questions before we add the rules:
a.)  What is the significance of the rule Priority?  I did not see Priority when reviewing the rule add procedure.  Is there a certain place the new rules should be added?
b.)  After the rules have been added, do we need to restart the unit for the rules to become active or are they active as soon as the entry has been completed?
c.)  Is it possible to add the rule, test it, and then make it inactive by removing the check in the ENABLE box?  

The main reason we are looking at this device is the need for OWA access by a few members of the management staff.  I see a tab on the ACCESS menu for USERS.  (Screen print attached)  Is it possible to only allow only certain users access to the above rules?

Thanks again for the reply and warning.  The security issue will be addressed with our customer.  

Sonicwall100Users.pdf
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:barnettmnljs
Comment Utility
Do you have any comments on our last questions?  I know these seem like basic questions but I do not want to jeopardize our customer's network without knowing a little more about what we are working with.  Our staff has experience with DLink and Linksys routers but no experience with SonicWall devices.  
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility

There's no manual, it's all embedded. You can download significant ducmenation from the MySonciwall site however.

a.)  What is the significance of the rule Priority?  I did not see Priority when reviewing the rule add procedure.  Is there a certain place the new rules should be added?

You just add a new rule to the appropriate "grid" box - e.g. "WAN-to-LAN". The new rule will be slotted in to the list where it seems to best fit, which system is right 95% of the time. It works on the assumption that a more specific rule should always over-ride a less specific one, so for example, if you block access to Yahoo Messenger for ALL LAN IPs, and PERMIT access to YM from your own IP, the latter rule is more specific, and will automatically be listed first and take effect, so whatever order you enter the two, the end result is, you can access YM and no-one else can. It only gets confused when you have similar levels of "specific" e.g.
a)Deny all users access to specific website
b)Permit speicfic user access to all websites

in this case you would use the up/down arrows to manually prioritise the two rules to achieve your desired result, after you create them. or better still re-think the rules so they autostack normally. :-)


b.)  After the rules have been added, do we need to restart the unit for the rules to become active or are they active as soon as the entry has been completed?

No, all rules take immediate effect. The one thign to watch out for with this is that the rule *number* that appears in a log entry will change at that time, e.g. when you see, say, TCP Packet dropped because of Rule 7, and you add a new rule which goes in at slot 2, then the SAME access attempt is blocked again a few moments later it will show it's because of Rule 8.  

c.)  Is it possible to add the rule, test it, and then make it inactive by removing the check in the ENABLE box?  


Just so. Also useful for putting in place rules which you only use on certain occasions, then you can disable them without having to totally remove them, they're ready to be re-enabled when you next want them.


0
 
LVL 1

Author Comment

by:barnettmnljs
Comment Utility
Thanks for the quick reply.  You confirmed what we believed to be the way the rules applied.  Do you have a comment on the USERS tab under ACCESS and can it be used to limit specific rules to a few users?  If the two rules defined in your first response resolve our OWA access issue, could we allow only certain users access to the rules that open OWA?  You mentioned something like this in your response to question "a" but where is the permissions granted or denied?  

Thanks
0
 
LVL 16

Expert Comment

by:ccomley
Comment Utility
Yes. I've never played with user-level access but it's certainly there. Requires 802.1x enabling on the client so that it can prompt the user for their ID.

You specify users or groups of users against a particular rule. So a "permit" rule which lists users that it applies to, admits those uses and no others - other users therefore have their access controled by any other existing rules or the default "deny" rule.

(Minor caveat - I don't have access to a Standard OS sonicwall any more to check that isn't an "enhanced only" option.)

0
 
LVL 1

Author Closing Comment

by:barnettmnljs
Comment Utility
The information supplied with this reply resolved our problem.  However, all answers were helpful in evaluating and determining the complete solution.  Thank you for your assistance and solution.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now