6 Replies Latest reply on Oct 27, 2010 7:57 PM by imejia

    Problems with publishing MS OWA 2003

    imejia

      Hi,

       

      I have a MS 2003 Infrastructure with MS Exchange 2003 as a messaging platform, one month ago we had an ISA 2004 server which publish OWA, RPC, WWW, etc....we acquire an MFE 8.0 which is doing 60% of the ISA roles but i'm stuck with the OWA publishing rule i have followed step by step the instructions noted on the MFE's section "Allow inbound  access to internal Servers" but with no luck.

       

      Steps performed:

       

      1. Url Translation - http://www.domain.com/exchange -> IP Srv Front End.

      2. Created New Defense Application Defense.

      3. Created under Generic (Required) non-transparent http connection.

      4.  Created an application defense group with the previous settings.

      5.  Created an Access Rule(Publishing) with the following parameters:

       

           5.1 Protocol = HTTP

           5.2 Source Zone = Internet

           5.3 Destination Zone = Internet

           5.4 Destination Endpoint = IP MFE External Interface & IP Server FE

           5.5 Application Defense = AD created previously.

       

      Any Idea?

        • 1. Re: Problems with publishing MS OWA 2003
          sliedl

          I'm guessing what you didn't do is use the Redirect section of this rule (or at least you didn't say you used it in your initial post).

           

          People are going to hit the external side of your firewall.  If you don't use the Redirect function this traffic will never be sent (redirected) to your internal server.  Select the internal IP of your server in the Redirect drop-down box in this inbound rule and it should work.

          • 2. Re: Problems with publishing MS OWA 2003
            imejia

            Hi,

             

            I already set on the Redirect box the Front End IP address as well as the Back End and none of them works....still getting on the IE "Host Not Found..gateway or Proxy server could not find the IP address of an upstream (web)", appreciate your help...

            • 3. Re: Problems with publishing MS OWA 2003
              sliedl

              Have you looked at the audit?  Are you actually hitting this rule?


              Have you looked at tcpdumps?

              Did you do a tcpdump on your external interface to see if this traffic is even hitting your firewall in the first place?  That's the first thing I would do.

              If it hits your external interface, did you do a tcpdump on your internal interface to see if the traffic is actually leaving the internal side of your firewall and getting no response?  That's the second thing I would do.

               

              If you want to have people on the Internet reach your internal web server, you'd make a rule like this:

               

              Service: HTTP

              Source Zone: Internet

              Source IP: <Any>

              Dest Zone: Internet

              Dest IP: <Ext. IP of FW> or <Front End IP>  (You don't set the Front End IP in the redirect box (I'm assuming a 'frond end IP' means an external IP address).)

              NAT: None

              Redirect: <Internal IP of web server> (<-- Is this what you called the Backend IP?)

               

              You could make a rule that works perfectly fine, and your traffic goes through the firewall and out your internal side and simply gets no response from your web server.  That's why tcpdumps are extremely important here.  If the traffic isn't even hitting the external side of your firewall it doesn't matter what kind of rule you make.  Check that it's hitting the external side of your firewall.

               

              If your external interface is em0, take the tcpdump like this:

              $> tcpdump -npi em0 port X and host y.y.y.y

              (replace X with the port this is coming in on and replace y.y.y.y with the SOURCE IP of the box you're testing from)

               

              You take the internal tcpdump the same way, except replace em0 with the name of your internal interface.

              • 4. Re: Problems with publishing MS OWA 2003
                imejia

                Hi again, sorry about the delay but i have dealing with other ex-secure products....so this it what i have done:

                 

                - just as clarification; When i mean Front End = It's a microsoft lexical on which you have two servers one acting as a Front server (rpc, owa, etc) and the other as Back End server acting as Mailbox or Storage so when i mean Front End Server is not the Firewall external interface...it's the Exchange Front End Server.

                 

                 

                Task performed;

                 

                1.  I created an access rule for the Microsof OWA server with the parameters that you mentioned on the last post and it works fine...i can access the portal and see my email.

                 

                The problem arise when i try to make multiple access rules for other internal resources such as the web site, sharepoint...etc.  I have seen on the MFE documentation a "URL Translation feature" which help for this type of scenario which i try by doing an application Defense on the HTTP Protocol as well on the Generic(Required ) section then i put both things together on a Group. Then i set it on the application defense section of the Access rule for accomplishing the connection and url translation settings but i didn't have luck!

                 

                Questions:

                 

                1.  Have you work with the url translation feature??

                2.  What are the recommended settings for it?

                 

                Any help will be appreciated!

                 

                 

                Message was edited by: imejia on 10/26/10 8:48:49 PM CST
                • 5. Re: Problems with publishing MS OWA 2003
                  sliedl

                  You can download the MFE 8.0 Administration Guide from the knowledgebase (PD22656) or at this URL: https://mysupport.mcafee.com/eservice/productdocuments.aspx

                   

                  On page 259 is the section entitled "Allow inbound access to internal servers."  This section talks about the URL Translation feature.

                  • 6. Re: Problems with publishing MS OWA 2003
                    imejia

                    Voila! Finally it work! it was a misconfiguration problem....i have the MFE's external interface as the destination endpoint instead of the internal servers.....also there was a dark cloud on the Application Defense  settings since i was not clear how it work.Thanks anyway!!