Solved

estabsling a ssl vpn while having SSL OWA

Posted on 2010-11-16
11
559 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  i am in a predicament with one of my projects.  I am looking to establish a ssl vpn for my remote user through the cisco asa 5505. (note: only 1 static IP)
 I have  exchange 2003  that has OWA setup for the obvious web access and for RPC/HTTP for Mobil devices and remote users who have  outlook 2003 and up.  

My issue is port 443 is already established for OWA so that is an issue for getting the VPN up and running.  I would like to keep OWA so that  Remote users with mobil devices can connect to  email.  at this point I dont have the approval for another static IP.  I have been told that I can change the secure port for OWA to another port number.  I was under the impression for SSL it has to be 443 so I dont understand how changing the port number would work.

Has anyone  been in a similar situation if so what was your solution ?
0
Comment
Question by:jrojas1213
  • 5
  • 5
11 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 34148240
The outside interface IP of the ASA does need to not have port 443 in use to use SSL VPN, as you've found out.  

HTTPS can be used on any port, it's just used on port 443 by default.   You could reconfigure the ASA to do port redirection and free up port 443.  

static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
(Assuming 8.2.1 code or lower)

Then when users access it they would have to use a URL like:

https://owa.domainname.com:4443/owa

A better solution is to have another static IP and NAT the Exchange server to that IP exclusively.  Then you're users wouldnt have to remember to add the port to the URL.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 34148254
You can redirect OWA to use a different port.  If users are connecting using a resolved name, DNS can handle the redirection.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34168215
will I be able to maintain a secure connection even though I would change OWA to another port # because I KNOW i CANT CHANGE IT ON THE CISCO BOX
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34168422
for exchange 2003 is this change made in IIS only ( besides the router)  I could not find anything in sys manager that would leave me to believe it required any configuration c.hange
0
 
LVL 9

Expert Comment

by:gavving
ID: 34169068
I would recommend making the change on the firewall to Port NAT 443 to a different port for Internet users, rather than adjusting the HTTPS port on the server itself.  

Look at the Static NAT statement I listed above.  Adjust the IPs to meet your needs.  Remove your old NAT rule that's natting the 443 port and replace it with that one.  Then from the Internet access the server via https://servername.domain.com:4443/exchange.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34173096
Thank you gavving so if I understand your process correctly by simply changing my nat rules.  changing OWA as an example to port 4443 and when that port comes in it will forward to 443 exchange server.  Now in your command above "static (inside,outside) tcp interface 4443 10.1.1.1 443 netmask 255.255.255.255
.  im assuming the IP listed would be the exchange server correct ?

Now when configuring the ASA as the ssl vpn their would be no conflict setting that up on port 443 ince owa will be using "4443" correct ?

Thanks for your patients as you can probably tell im new to the networking world and the ASA is a powerful device to start learning on.
0
 
LVL 9

Expert Comment

by:gavving
ID: 34173593
Yes you're correct.  10.1.1.1 would be the IP of your server.  You should already have a line like this present in your config.  It would look like:

static (inside,outside) interface 10.1.1.1 netmask 255.255.255.255

Notice the lack of the 'tcp' and 4443, and 443 in the line.   You would need to remove this line with a 'no' command.  Then add the line back in with the syntax I stated above.

Something I thought about though.  If you do it this way it's likely to break ActiveSync devices such as iPhones or other phones that might be configured to sync to the Exchange server.  Those devices generally don't have an option to use a non-standard phone.  So if you need to support ActiveSync, and you want to configure SSL VPN, then your only option is to get another static IP from the ISP and move the Exchange server to that IP.
0
 
LVL 9

Expert Comment

by:gavving
ID: 34173601
^ I meant to say: "Those devices generally don't have an option to use a non-standard port."
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34175257
That was my concern since we have many mobil devices that it may break some where.  If I were to get another static IP would I have to reconfigure the exchange server to the ISP why not just configure the ssl vpn and leave exchange alone.  less things to break right ?
0
 
LVL 9

Accepted Solution

by:
gavving earned 250 total points
ID: 34175527
Yes that would entail changing the external IP of the firewall to the new IP assigned by the ISP.  If you already have any VPN connections pointing to that IP then you'd need to reconfigure those VPN clients to point to the new IP.  

The method I would choose would depend on what I have easy access to change and would be the least impacting.  If I didn't have easy access to make Internet DNS changes to point it to the new Exchange server external IP, then I'd probably change the firewall IP and leave the Exchange server on the old IP.  But if I had a large number of IPsec VPN clients pointed directly to the IP of the firewall, then I'd move the Exchange server, update DNS, and leave the firewall on the existing IP.
0
 
LVL 1

Author Comment

by:jrojas1213
ID: 34175780
Thanks Gaving that will have to be the next chapter in this book is now to look into getting another IP from my ISP and playing around with that.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now