• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4564
  • Last Modified:

Sonicwall and Outlook Anywhere

Hi there,

a few days ago we bought a Sonicwall NSA 3500 and a Sonicwall SRA4600.
We could provide Outlook Web Access and ActiveSync without any problems on an easy way over these appliances. But now there is Outlook Anywhere and I get crazy with the configuration of this feature.

We published Outlook Anywhere over the Generic SSL Offload-Function of SRA4600. In my opinion this might not be the best and secure way. Are there some other ways to provide Outlook Anywhere with these appliances? There should be a Web Application Firewall and other security functions for Outlook Anywhere, too.

Thanks in advance and best regards,

Ralph
0
maxworx
Asked:
maxworx
1 Solution
 
Aaron TomoskyTechnology ConsultantCommented:
I don't touch outlook anywhere, but I did want to say you should look at the sonicwall 3600. When I bought mine it was both less expensive and far more powerful than the 3500. Unless you got a smoking deal, return it and get the 3600 ASAP.
0
 
Blue Street TechLast KnightsCommented:
Hi maxworx,

I've never used Generic SSL Offload for RPC/HTTP (Outlook Anywhere). I've always just set it up traditionally so I don't know if this is correct or not. May I ask why you are using SSL Offloading for this...some of the reasons to use SSL Offloading are for performance gains and resource consolidation. But some of the advantages of Outlook Anywhere are that you can use the same URL & namespace that you use for OWA & AES along with the same SSL Cert so consolidation is already achieved by design. That leaves the performance gain but unless your org is massive and RPC/HTTP traffic is spiking, I don't perceive the effectiveness of it.

What version of Exchange are you running?

Where is the Exchange server located on-site or offsite (depends on the org structure but you could have onsite using RPC/HTTP for many reasons)?

Are you currently using two-factor or Client Certificate authentication to access OWA?

You can test end-to-end client connectivity for Outlook Anywhere and TCP-based connections by using the Test-OutlookConnectivity cmdlet.

Let me know how it goes!
0
 
maxworxAuthor Commented:
Hi,

@ aarontomosky: Thank you for your reply. This is not an option for us, because the NSA 3600 doesn't support the MS-RPC Protocol, too.

@ Diverse IT: Thank you for your reply. What do you mean with "traditionally"? We are using Generic SSL Offloading in term of our Certificates. Internally we use a self-signed certificate and for our external communication we use a wildcard-certificate.

At the moment we use a MS Exchange 2007 Server. In the near future we plan to migrate to version 2013.

Our Exchange Server is located onsite.

We are using two-factor Auth.

Outlook Anywhere is functional with Generic SSL Offloading. Before we bought the SonicWall Appliances there was a Forefront TMG 2010. Therefore Outlook Anywhere was easy to configure.

It's functional, so that this isn't our problem. But we think that the configuration we did is unsecure. We configured the following way:
Client <--> Internet <--> NSA3500 <--> DMZ <--> SRA4600 <--> DMZ <--> NSA3500 <--> LAN <--> Exchange Server
All configurations regarding NAT a.o. are done.

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.

We hope that there is another, more secure way to provide Outlook Anywhere.

Thanks in advance and best regards,

Ralph
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Blue Street TechLast KnightsCommented:
So the Exchange Server is in the LAN. Have you considered moving it to the DMZ?

Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.

Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.
No firewall that I know of will limit traffic to a directory level within a server. Typically, I see it executed by opening port 443 and NATing it to the Exchange Server.

Here are some Security Best Practices - though most deal with the Exchange config.
1. Exchange Architecture. Put the Edge Transport on the Perimeter Network and the Client Access, Mailbox, Hub Transport & Unified Messaging on the Internal Network. If there is a need to limit and filter incoming connections from untrusted sources, use a properly designed application proxy server such as ISA Server, deployed in the perimeter network as well.
2. Run SCW & harden the server. (http://technet.microsoft.com/en-us/library/aa998208.aspx)
3. Don't use default certs on public facing server roles.
4. Disable HTTP connections. Either use IIS to redirect to HTTPS or just don't publish the insecure versions of SSL.
5. Use the Client Submission Port. Use two separate SMTP server ports.

Hope that helps!
0
 
maxworxAuthor Commented:
Happy New Year.

Thank you for this best practices guide. We published Outlook Anywhere this way.
0
 
Blue Street TechLast KnightsCommented:
Happy New Year!

Terrific, glad I could help and thanks for the points!
0
 
Sarah RestoinkCommented:
Excellent discussion!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now