Sonicwall and Outlook Anywhere
Hi there,
a few days ago we bought a Sonicwall NSA 3500 and a Sonicwall SRA4600.
We could provide Outlook Web Access and ActiveSync without any problems on an easy way over these appliances. But now there is Outlook Anywhere and I get crazy with the configuration of this feature.
We published Outlook Anywhere over the Generic SSL Offload-Function of SRA4600. In my opinion this might not be the best and secure way. Are there some other ways to provide Outlook Anywhere with these appliances? There should be a Web Application Firewall and other security functions for Outlook Anywhere, too.
Thanks in advance and best regards,
Ralph
a few days ago we bought a Sonicwall NSA 3500 and a Sonicwall SRA4600.
We could provide Outlook Web Access and ActiveSync without any problems on an easy way over these appliances. But now there is Outlook Anywhere and I get crazy with the configuration of this feature.
We published Outlook Anywhere over the Generic SSL Offload-Function of SRA4600. In my opinion this might not be the best and secure way. Are there some other ways to provide Outlook Anywhere with these appliances? There should be a Web Application Firewall and other security functions for Outlook Anywhere, too.
Thanks in advance and best regards,
Ralph
Aaron Tomosky
I don't touch outlook anywhere, but I did want to say you should look at the sonicwall 3600. When I bought mine it was both less expensive and far more powerful than the 3500. Unless you got a smoking deal, return it and get the 3600 ASAP.
Hi maxworx,
I've never used Generic SSL Offload for RPC/HTTP (Outlook Anywhere). I've always just set it up traditionally so I don't know if this is correct or not. May I ask why you are using SSL Offloading for this...some of the reasons to use SSL Offloading are for performance gains and resource consolidation. But some of the advantages of Outlook Anywhere are that you can use the same URL & namespace that you use for OWA & AES along with the same SSL Cert so consolidation is already achieved by design. That leaves the performance gain but unless your org is massive and RPC/HTTP traffic is spiking, I don't perceive the effectiveness of it.
What version of Exchange are you running?
Where is the Exchange server located on-site or offsite (depends on the org structure but you could have onsite using RPC/HTTP for many reasons)?
Are you currently using two-factor or Client Certificate authentication to access OWA?
You can test end-to-end client connectivity for Outlook Anywhere and TCP-based connections by using the Test-OutlookConnectivity cmdlet.
Let me know how it goes!
I've never used Generic SSL Offload for RPC/HTTP (Outlook Anywhere). I've always just set it up traditionally so I don't know if this is correct or not. May I ask why you are using SSL Offloading for this...some of the reasons to use SSL Offloading are for performance gains and resource consolidation. But some of the advantages of Outlook Anywhere are that you can use the same URL & namespace that you use for OWA & AES along with the same SSL Cert so consolidation is already achieved by design. That leaves the performance gain but unless your org is massive and RPC/HTTP traffic is spiking, I don't perceive the effectiveness of it.
What version of Exchange are you running?
Where is the Exchange server located on-site or offsite (depends on the org structure but you could have onsite using RPC/HTTP for many reasons)?
Are you currently using two-factor or Client Certificate authentication to access OWA?
You can test end-to-end client connectivity for Outlook Anywhere and TCP-based connections by using the Test-OutlookConnectivity cmdlet.
Let me know how it goes!
ASKER
Hi,
@ aarontomosky: Thank you for your reply. This is not an option for us, because the NSA 3600 doesn't support the MS-RPC Protocol, too.
@ Diverse IT: Thank you for your reply. What do you mean with "traditionally"? We are using Generic SSL Offloading in term of our Certificates. Internally we use a self-signed certificate and for our external communication we use a wildcard-certificate.
At the moment we use a MS Exchange 2007 Server. In the near future we plan to migrate to version 2013.
Our Exchange Server is located onsite.
We are using two-factor Auth.
Outlook Anywhere is functional with Generic SSL Offloading. Before we bought the SonicWall Appliances there was a Forefront TMG 2010. Therefore Outlook Anywhere was easy to configure.
It's functional, so that this isn't our problem. But we think that the configuration we did is unsecure. We configured the following way:
Client <--> Internet <--> NSA3500 <--> DMZ <--> SRA4600 <--> DMZ <--> NSA3500 <--> LAN <--> Exchange Server
All configurations regarding NAT a.o. are done.
Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.
Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.
We hope that there is another, more secure way to provide Outlook Anywhere.
Thanks in advance and best regards,
Ralph
@ aarontomosky: Thank you for your reply. This is not an option for us, because the NSA 3600 doesn't support the MS-RPC Protocol, too.
@ Diverse IT: Thank you for your reply. What do you mean with "traditionally"? We are using Generic SSL Offloading in term of our Certificates. Internally we use a self-signed certificate and for our external communication we use a wildcard-certificate.
At the moment we use a MS Exchange 2007 Server. In the near future we plan to migrate to version 2013.
Our Exchange Server is located onsite.
We are using two-factor Auth.
Outlook Anywhere is functional with Generic SSL Offloading. Before we bought the SonicWall Appliances there was a Forefront TMG 2010. Therefore Outlook Anywhere was easy to configure.
It's functional, so that this isn't our problem. But we think that the configuration we did is unsecure. We configured the following way:
Client <--> Internet <--> NSA3500 <--> DMZ <--> SRA4600 <--> DMZ <--> NSA3500 <--> LAN <--> Exchange Server
All configurations regarding NAT a.o. are done.
Another option is to open Port 443 directly from Firewall to Exchange Server with NAT. But this might be more unsecure to our actual config.
Microsofts best practice is to deploy only some paths. e.g. /owa/ and /rpc/ But I can't do this with Sonicwall or I can't find how to do this.
We hope that there is another, more secure way to provide Outlook Anywhere.
Thanks in advance and best regards,
Ralph
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Happy New Year.
Thank you for this best practices guide. We published Outlook Anywhere this way.
Thank you for this best practices guide. We published Outlook Anywhere this way.
Happy New Year!
Terrific, glad I could help and thanks for the points!
Terrific, glad I could help and thanks for the points!
Excellent discussion!