Solved

estabsling a ssl vpn while having SSL OWA

Posted on 2010-11-16
11
568 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  i am in a predicament with one of my projects.  I am looking to establish a ssl vpn for my remote user through the cisco asa 5505. (note: only 1 static IP)
 I have  exchange 2003  that has OWA setup for the obvious web access and for RPC/HTTP for Mobil devices and remote users who have  outlook 2003 and up.  

My issue is port 443 is already established for OWA so that is an issue for getting the VPN up and running.  I would like to keep OWA so that  Remote users with mobil devices can connect to  email.  at this point I dont have the approval for another static IP.  I have been told that I can change the secure port for OWA to another port number.  I was under the impression for SSL it has to be 443 so I dont understand how changing the port number would work.

Has anyone  been in a similar situation if so what was your solution ?
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 34148240
The outside interface IP of the ASA does need to not have port 443 in use to use SSL VPN, as you've found out.  

HTTPS can be used on any port, it's just used on port 443 by default.   You could reconfigure the ASA to do port redirection and free up port 443.  

static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
(Assuming 8.2.1 code or lower)

Then when users access it they would have to use a URL like:

https://owa.domainname.com:4443/owa

A better solution is to have another static IP and NAT the Exchange server to that IP exclusively.  Then you're users wouldnt have to remember to add the port to the URL.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 34148254
You can redirect OWA to use a different port.  If users are connecting using a resolved name, DNS can handle the redirection.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34168215
will I be able to maintain a secure connection even though I would change OWA to another port # because I KNOW i CANT CHANGE IT ON THE CISCO BOX
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34168422
for exchange 2003 is this change made in IIS only ( besides the router)  I could not find anything in sys manager that would leave me to believe it required any configuration c.hange
0
 
LVL 9

Expert Comment

by:gavving
ID: 34169068
I would recommend making the change on the firewall to Port NAT 443 to a different port for Internet users, rather than adjusting the HTTPS port on the server itself.  

Look at the Static NAT statement I listed above.  Adjust the IPs to meet your needs.  Remove your old NAT rule that's natting the 443 port and replace it with that one.  Then from the Internet access the server via https://servername.domain.com:4443/exchange.

0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34173096
Thank you gavving so if I understand your process correctly by simply changing my nat rules.  changing OWA as an example to port 4443 and when that port comes in it will forward to 443 exchange server.  Now in your command above "static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
.  im assuming the IP listed would be the exchange server correct ?

Now when configuring the ASA as the ssl vpn their would be no conflict setting that up on port 443 ince owa will be using "4443" correct ?

Thanks for your patients as you can probably tell im new to the networking world and the ASA is a powerful device to start learning on.
0
 
LVL 9

Expert Comment

by:gavving
ID: 34173593
Yes you're correct.  10.1.1.1 would be the IP of your server.  You should already have a line like this present in your config.  It would look like:

static (inside,outside) interface 10.1.1.1 netmask 255.255.255.255

Notice the lack of the 'tcp' and 4443, and 443 in the line.   You would need to remove this line with a 'no' command.  Then add the line back in with the syntax I stated above.

Something I thought about though.  If you do it this way it's likely to break ActiveSync devices such as iPhones or other phones that might be configured to sync to the Exchange server.  Those devices generally don't have an option to use a non-standard phone.  So if you need to support ActiveSync, and you want to configure SSL VPN, then your only option is to get another static IP from the ISP and move the Exchange server to that IP.
0
 
LVL 9

Expert Comment

by:gavving
ID: 34173601
^ I meant to say: "Those devices generally don't have an option to use a non-standard port."
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34175257
That was my concern since we have many mobil devices that it may break some where.  If I were to get another static IP would I have to reconfigure the exchange server to the ISP why not just configure the ssl vpn and leave exchange alone.  less things to break right ?
0
 
LVL 9

Accepted Solution

by:
gavving earned 250 total points
ID: 34175527
Yes that would entail changing the external IP of the firewall to the new IP assigned by the ISP.  If you already have any VPN connections pointing to that IP then you'd need to reconfigure those VPN clients to point to the new IP.  

The method I would choose would depend on what I have easy access to change and would be the least impacting.  If I didn't have easy access to make Internet DNS changes to point it to the new Exchange server external IP, then I'd probably change the firewall IP and leave the Exchange server on the old IP.  But if I had a large number of IPsec VPN clients pointed directly to the IP of the firewall, then I'd move the Exchange server, update DNS, and leave the firewall on the existing IP.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34175780
Thanks Gaving that will have to be the next chapter in this book is now to look into getting another IP from my ISP and playing around with that.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question