Link to home
Create AccountLog in
Avatar of jrojas1213
jrojas1213Flag for United States of America

asked on

estabsling a ssl vpn while having SSL OWA

Hello all and thank you for your time.  i am in a predicament with one of my projects.  I am looking to establish a ssl vpn for my remote user through the cisco asa 5505. (note: only 1 static IP)
 I have  exchange 2003  that has OWA setup for the obvious web access and for RPC/HTTP for Mobil devices and remote users who have  outlook 2003 and up.  

My issue is port 443 is already established for OWA so that is an issue for getting the VPN up and running.  I would like to keep OWA so that  Remote users with mobil devices can connect to  email.  at this point I dont have the approval for another static IP.  I have been told that I can change the secure port for OWA to another port number.  I was under the impression for SSL it has to be 443 so I dont understand how changing the port number would work.

Has anyone  been in a similar situation if so what was your solution ?
Avatar of gavving
gavving
Flag of United States of America image

The outside interface IP of the ASA does need to not have port 443 in use to use SSL VPN, as you've found out.  

HTTPS can be used on any port, it's just used on port 443 by default.   You could reconfigure the ASA to do port redirection and free up port 443.  

static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
(Assuming 8.2.1 code or lower)

Then when users access it they would have to use a URL like:

https://owa.domainname.com:4443/owa

A better solution is to have another static IP and NAT the Exchange server to that IP exclusively.  Then you're users wouldnt have to remember to add the port to the URL.
You can redirect OWA to use a different port.  If users are connecting using a resolved name, DNS can handle the redirection.
Avatar of jrojas1213

ASKER

will I be able to maintain a secure connection even though I would change OWA to another port # because I KNOW i CANT CHANGE IT ON THE CISCO BOX
for exchange 2003 is this change made in IIS only ( besides the router)  I could not find anything in sys manager that would leave me to believe it required any configuration c.hange
I would recommend making the change on the firewall to Port NAT 443 to a different port for Internet users, rather than adjusting the HTTPS port on the server itself.  

Look at the Static NAT statement I listed above.  Adjust the IPs to meet your needs.  Remove your old NAT rule that's natting the 443 port and replace it with that one.  Then from the Internet access the server via https://servername.domain.com:4443/exchange.

Thank you gavving so if I understand your process correctly by simply changing my nat rules.  changing OWA as an example to port 4443 and when that port comes in it will forward to 443 exchange server.  Now in your command above "static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
.  im assuming the IP listed would be the exchange server correct ?

Now when configuring the ASA as the ssl vpn their would be no conflict setting that up on port 443 ince owa will be using "4443" correct ?

Thanks for your patients as you can probably tell im new to the networking world and the ASA is a powerful device to start learning on.
Yes you're correct.  10.1.1.1 would be the IP of your server.  You should already have a line like this present in your config.  It would look like:

static (inside,outside) interface 10.1.1.1 netmask 255.255.255.255

Notice the lack of the 'tcp' and 4443, and 443 in the line.   You would need to remove this line with a 'no' command.  Then add the line back in with the syntax I stated above.

Something I thought about though.  If you do it this way it's likely to break ActiveSync devices such as iPhones or other phones that might be configured to sync to the Exchange server.  Those devices generally don't have an option to use a non-standard phone.  So if you need to support ActiveSync, and you want to configure SSL VPN, then your only option is to get another static IP from the ISP and move the Exchange server to that IP.
^ I meant to say: "Those devices generally don't have an option to use a non-standard port."
That was my concern since we have many mobil devices that it may break some where.  If I were to get another static IP would I have to reconfigure the exchange server to the ISP why not just configure the ssl vpn and leave exchange alone.  less things to break right ?
ASKER CERTIFIED SOLUTION
Avatar of gavving
gavving
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks Gaving that will have to be the next chapter in this book is now to look into getting another IP from my ISP and playing around with that.