Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Sonicwall and Outlook Anywhere

Posted on 2013-12-09
Medium Priority
Last Modified: 2016-12-04
Hi there,

a few days ago we bought a Sonicwall NSA 3500 and a Sonicwall SRA4600.
We could provide Outlook Web Access and ActiveSync without any problems on an easy way over these appliances. But now there is Outlook Anywhere and I get crazy with the configuration of this feature.

We published Outlook Anywhere over the Generic SSL Offload-Function of SRA4600. In my opinion this might not be the best and secure way. Are there some other ways to provide Outlook Anywhere with these appliances? There should be a Web Application Firewall and other security functions for Outlook Anywhere, too.

Thanks in advance and best regards,

Question by:maxworx
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39707054
I don't touch outlook anywhere, but I did want to say you should look at the sonicwall 3600. When I bought mine it was both less expensive and far more powerful than the 3500. Unless you got a smoking deal, return it and get the 3600 ASAP.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39707237
Hi maxworx,

I've never used Generic SSL Offload for RPC/HTTP (Outlook Anywhere). I've always just set it up traditionally so I don't know if this is correct or not. May I ask why you are using SSL Offloading for this...some of the reasons to use SSL Offloading are for performance gains and resource consolidation. But some of the advantages of Outlook Anywhere are that you can use the same URL & namespace that you use for OWA & AES along with the same SSL Cert so consolidation is already achieved by design. That leaves the performance gain but unless your org is massive and RPC/HTTP traffic is spiking, I don't perceive the effectiveness of it.

What version of Exchange are you running?

Where is the Exchange server located on-site or offsite (depends on the org structure but you could have onsite using RPC/HTTP for many reasons)?

Are you currently using two-factor or Client Certificate authentication to access OWA?

You can test end-to-end client connectivity for Outlook Anywhere and TCP-based connections by using the Test-OutlookConnectivity cmdlet.

Let me know how it goes!

Author Comment

ID: 39708311

@ aarontomosky: Thank you for your reply. This is not an option for us, because the NSA 3600 doesn't support the MS-RPC Protocol, too.

@ Diverse IT: Thank you for your reply. What do you mean with "traditionally"? We are using Generic SSL Offloading in term of our Certificates. Internally we use a self-signed certificate and for our external communication we use a wildcard-certificate.

At the moment we use a MS Exchange 2007 Server. In the near future we plan to migrate to version 2013.

Our Exchange Server is located onsite.

We are using two-factor Auth.

Outlook Anywhere is functional with Generic SSL Offloading. Before we bought the SonicWall Appliances there was a Forefront TMG 2010. Therefore Outlook Anywhere was easy to configure.

It's functional, so that this isn't our problem. But we think that the configuration we did is unsecure. We configured the following way:
Client <--> Internet <--> NSA3500 <--> DMZ <--> SRA4600 <--> DMZ <--> NSA3500 <--> LAN <--> Exchange Server
All configurations regarding NAT a.o. are done.

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.

We hope that there is another, more secure way to provide Outlook Anywhere.

Thanks in advance and best regards,

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

LVL 26

Accepted Solution

Blue Street Tech earned 2000 total points
ID: 39711110
So the Exchange Server is in the LAN. Have you considered moving it to the DMZ?

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.
No firewall that I know of will limit traffic to a directory level within a server. Typically, I see it executed by opening port 443 and NATing it to the Exchange Server.

Here are some Security Best Practices - though most deal with the Exchange config.
1. Exchange Architecture. Put the Edge Transport on the Perimeter Network and the Client Access, Mailbox, Hub Transport & Unified Messaging on the Internal Network. If there is a need to limit and filter incoming connections from untrusted sources, use a properly designed application proxy server such as ISA Server, deployed in the perimeter network as well.
2. Run SCW & harden the server. (http://technet.microsoft.com/en-us/library/aa998208.aspx)
3. Don't use default certs on public facing server roles.
4. Disable HTTP connections. Either use IIS to redirect to HTTPS or just don't publish the insecure versions of SSL.
5. Use the Client Submission Port. Use two separate SMTP server ports.

Hope that helps!

Author Closing Comment

ID: 39761701
Happy New Year.

Thank you for this best practices guide. We published Outlook Anywhere this way.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39763294
Happy New Year!

Terrific, glad I could help and thanks for the points!

Expert Comment

by:Sarah Restoink
ID: 41845414
Excellent discussion!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question