Sonicwall and Outlook Anywhere

Posted on 2013-12-09
  • Hardware Firewalls
  • Exchange
  • Outlook
  • Network Security
  • +1
Last Modified: 2016-12-04
Hi there,

a few days ago we bought a Sonicwall NSA 3500 and a Sonicwall SRA4600.
We could provide Outlook Web Access and ActiveSync without any problems on an easy way over these appliances. But now there is Outlook Anywhere and I get crazy with the configuration of this feature.

We published Outlook Anywhere over the Generic SSL Offload-Function of SRA4600. In my opinion this might not be the best and secure way. Are there some other ways to provide Outlook Anywhere with these appliances? There should be a Web Application Firewall and other security functions for Outlook Anywhere, too.

Thanks in advance and best regards,

Question by:maxworx
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39707054
I don't touch outlook anywhere, but I did want to say you should look at the sonicwall 3600. When I bought mine it was both less expensive and far more powerful than the 3500. Unless you got a smoking deal, return it and get the 3600 ASAP.
LVL 24

Expert Comment

ID: 39707237
Hi maxworx,

I've never used Generic SSL Offload for RPC/HTTP (Outlook Anywhere). I've always just set it up traditionally so I don't know if this is correct or not. May I ask why you are using SSL Offloading for this...some of the reasons to use SSL Offloading are for performance gains and resource consolidation. But some of the advantages of Outlook Anywhere are that you can use the same URL & namespace that you use for OWA & AES along with the same SSL Cert so consolidation is already achieved by design. That leaves the performance gain but unless your org is massive and RPC/HTTP traffic is spiking, I don't perceive the effectiveness of it.

What version of Exchange are you running?

Where is the Exchange server located on-site or offsite (depends on the org structure but you could have onsite using RPC/HTTP for many reasons)?

Are you currently using two-factor or Client Certificate authentication to access OWA?

You can test end-to-end client connectivity for Outlook Anywhere and TCP-based connections by using the Test-OutlookConnectivity cmdlet.

Let me know how it goes!

Author Comment

ID: 39708311

@ aarontomosky: Thank you for your reply. This is not an option for us, because the NSA 3600 doesn't support the MS-RPC Protocol, too.

@ Diverse IT: Thank you for your reply. What do you mean with "traditionally"? We are using Generic SSL Offloading in term of our Certificates. Internally we use a self-signed certificate and for our external communication we use a wildcard-certificate.

At the moment we use a MS Exchange 2007 Server. In the near future we plan to migrate to version 2013.

Our Exchange Server is located onsite.

We are using two-factor Auth.

Outlook Anywhere is functional with Generic SSL Offloading. Before we bought the SonicWall Appliances there was a Forefront TMG 2010. Therefore Outlook Anywhere was easy to configure.

It's functional, so that this isn't our problem. But we think that the configuration we did is unsecure. We configured the following way:
Client <--> Internet <--> NSA3500 <--> DMZ <--> SRA4600 <--> DMZ <--> NSA3500 <--> LAN <--> Exchange Server
All configurations regarding NAT a.o. are done.

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.

We hope that there is another, more secure way to provide Outlook Anywhere.

Thanks in advance and best regards,

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

LVL 24

Accepted Solution

diverseit earned 500 total points
ID: 39711110
So the Exchange Server is in the LAN. Have you considered moving it to the DMZ?

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.
No firewall that I know of will limit traffic to a directory level within a server. Typically, I see it executed by opening port 443 and NATing it to the Exchange Server.

Here are some Security Best Practices - though most deal with the Exchange config.
1. Exchange Architecture. Put the Edge Transport on the Perimeter Network and the Client Access, Mailbox, Hub Transport & Unified Messaging on the Internal Network. If there is a need to limit and filter incoming connections from untrusted sources, use a properly designed application proxy server such as ISA Server, deployed in the perimeter network as well.
2. Run SCW & harden the server. (
3. Don't use default certs on public facing server roles.
4. Disable HTTP connections. Either use IIS to redirect to HTTPS or just don't publish the insecure versions of SSL.
5. Use the Client Submission Port. Use two separate SMTP server ports.

Hope that helps!

Author Closing Comment

ID: 39761701
Happy New Year.

Thank you for this best practices guide. We published Outlook Anywhere this way.
LVL 24

Expert Comment

ID: 39763294
Happy New Year!

Terrific, glad I could help and thanks for the points!

Expert Comment

by:Sarah Restoink
ID: 41845414
Excellent discussion!

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now