Link to home
Start Free TrialLog in
Avatar of KANEWONG
KANEWONG

asked on

How to use Sonicwall virtual office

Hi;

Does anyone can tell me more information about how to use Sonicwall Virtual Office with SSL VPN to let employee access to local Exchange 2010 server from anywhere?  If I do not want the OWA can be scanned by hacker, what can I do?  I am thinking to use Sonicwall Virtual Office technology, does it make sense?  What is the best practices to hide the OWA from internet but allow mobile Outlook user who use laptop to access it from home?
Avatar of digitap
digitap
Flag of United States of America image

do you have an ssl-vpn appliance or are you wanting to use the ssl-vpn functionality of a TZ or NSA series firewall?

essentially, virtual office gives your ssl-vpn clients easier access to LAN resources.  when they login to the virtual office, you can serve up links to RDP sessions, etc.

regarding setting security for OWA, you can either use GVC or ssl-vpn to secure communication between OWA and the end user never allowing access to OWA externally.

does that make sense?
Another quite simple way to hide OWA from the internet is to make an inbound NAT rule with an access rule limited to a specific user or user group. Make sure to configure your OWA with SSL/HTTPS to ensure the traffice is encrypted.

You have to enable "UserLogin" over HTTPS on the WAN interface. Then the external user must login first to the SonicWALL and after successful login, the port 443 to OWA opens and he can work with OWA (default for about 30 minutes, but this can be adjusted).

Consider using a separate public IP in your NAT rule to not conflict port 443 for SonicWALL User Login with port 443 for OWA (or use port redirection in your NAT rule; or use a non-standard port for your SonicWALLs HTTPS).

Disadvantage of this solution: the user has to login twice (first to SonicWALL, second to OWA).
Avatar of KANEWONG
KANEWONG

ASKER

Hi guys;

I found another similar solution here https://www.experts-exchange.com/questions/26595586/using-cisco-asa-5505-for-ssl-vpn-and-OWA.html, the difference is that a Cisco ASA firewall is being used for this posted solution not Sonicwall but I believed that I can use the same idea on SonicWall solution too, please correct me from wrong.

the solution mentioned that, straight http (port 80) is open for OWA only, let the SSL VPN take care of the SSL connection.  Once the user authenticate to SSL VPN firewall, they are able access to Exchange's OWA or Exchange mailbox.

If this is correct, I do not need to install a SSL certificate on Exchange server either.  Is it right?
ASKER CERTIFIED SOLUTION
Avatar of digitap
digitap
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for the link, I will look at that.  Yes, current; the Outlook Anywhere is enable.  If the SSL VPN is deployed, that could be disable I guess because the remote user can authenticate through SSL VPN first than open Outlook client as sitting on local LAN, right?
once the ssl-vpn is enabled, they can connect to any of the resources you've allowed through the vpn as if they are on the local networks.  remember, virtual office is just a web interface where you can add bookmarks for easy access to internal resources.  you can establish an ssl-vpn session and access resources manually without ever using the virtual office as if you were using the GVC.
In the documents, they mentioned the "AMC" and Single Sign On, what is AMC? and does SSO include in SonicWall NSA 2400 firewall?
AMC means Aventail Management Console.  You get Aventail with the higher end sonicwall SSL-VPN appliances.  i'm not sure if you get sso with the ssl-vpn function within the UTM appliance.  this may only be allowed with a ssl-vpn appliance.  i performed a cursory search within the sonicwall KB and didn't find anything initially.  if the NSA 2400 manual doesn't mention anything, then i'd say it's not allowed.  sorry, i didn't think to check with you regarding the appliance you were using.
No worry, you have given me a lot of precious information.
glad i could help...thx for the pts!