1 2 Previous Next 14 Replies Latest reply on Feb 18, 2015 9:53 AM by Troja

    Malware scanning in RPC over http (Reverse-Proxy)

    maddivemax

      Hi,

       

      I was wondering if somebody ran already into the same issue with malware scanning of RPC over http Traffic (Outlook anywhere).

       

      I'd like to supersede TMG2010 with MWG as Reverse-Proxy at customer site, but unfortunately I cannot manage to scan the traffic within the Outlook anywhere stream. As soon as RPC_IN_DATA packets get into the GAM, Microsoft Outlooks stops working.

      When "Command.name equals RPC_IN_DATA" rule (Stop ruleset) is inserted prior GAM-rule, Outlook anywhere works as designed. But then I cannot detect malicious Attachments like Eicar. :-(

       

      Does anyone has already implemented RPC over http with Malware scanning successfully?

       

      Or does MWG not support this sort of traffic scanning?

       

      Thanks in advance for your hints

       

      maddivemax

        • 1. Re: Malware scanning in RPC over http (Reverse-Proxy)
          asabban

          Hello,

           

          what is the Exchange version you are running?

           

          best,

          Andre

          • 2. Re: Malware scanning in RPC over http (Reverse-Proxy)
            maddivemax

            Hi Andre,

             

            well, at customer site I have Exchange 2010 and I tried it in my test enviroment with Exchange 2013.

             

            In both version I did experience the same issue. :-(

             

            Thanks,

            maddivemax

            • 3. Re: Malware scanning in RPC over http (Reverse-Proxy)
              Troja

              Hi Andre,

              we can see the RPC_Data_IN or RPC_Data_OUT packets in policy tracing central on MWG.

              In both cases when any of these packets is intercepted by SSL Scanner the communication fails.

              Cheers,

              Thorsten

              • 4. Re: Malware scanning in RPC over http (Reverse-Proxy)
                asabban

                Hello,

                 

                in all rule sets I have seen so far all RPC_* calls had to be excluded from the filtering. As soon as you look into this with MWG the communication fails as the data transferred does not seem to be HTTP. The difference to OWA is that in OWA we actually work with Web technology (HTTP), while for Outlook Anywhere the data is encapsulated into some binary format we don't understand. I don't think there are good chances to filter Outlook Anywhere... for OWA this should be possible, at least for Exchange 2010. In Exchange 2013 all data is encapsulated into JSON objects and MWG - by default - does not know how to parse the JSON objects. This can be worked around and afaik we are working on some kind of a parser.

                 

                As I am currently setting up an exchange for testing I will have a look and see if there is something we can do, but I am relatively sure that the RPC_* calls cannot be filtered at the moment.

                 

                Best,

                Andre

                • 5. Re: Malware scanning in RPC over http (Reverse-Proxy)
                  Troja

                  Hi Andre,

                  hmmm, pretty bad news. As you know TMG will not be available/supported from Mircosoft in the future. Today there is no solution to scan and find malicious files within RPC over HTTP traffic or Active Sync traffic.

                  More and more customers will have to change from TMG to another product.

                   

                  In the future it will be much more easier to deploy a MWG reverse proxy solution if MWG is able to scan any traffic (Outlook Anywhere, Active Sync, RPC over HTTP) to Microsoft Exchange Server.

                   

                  Cheers,

                  Thorsten

                  • 6. Re: Malware scanning in RPC over http (Reverse-Proxy)
                    maddivemax

                    Hi Andre,

                     

                    thanks - although this are bad news!

                     

                    As Thorsten already mentioned. More and more customer superseding TMG to alternative products. If we want to place a MWG as a "Web Security solution" at customer site, MWG needs to be able to handle the 3 most used Microsoft services (OWA, RPCoverHTTP, ActiveSync)

                     

                    Can you also confirm that ActiveSync cannot be scanned? As I already sent Eicar mails to my test mailbox which also gets synced via MWG. No synced mails were blocked.

                     

                    Thanks,

                    maddivemax

                    • 7. Re: Malware scanning in RPC over http (Reverse-Proxy)
                      asabban

                      Hello,

                       

                      since I am not familiar with TMG please allow my question. Afaik TMG acts as proxy server/firewall, but I was under the impression it simple forwarded packets from A to B, without inspecting the content. In existing environments at customers, is TMG intercepting the traffic and applying AV filtering, etc?

                       

                      Please let me know some more details, if you have. I read a little about Outlook Anywhere and from what I read Exchange <= 2010 uses TCP over RPC, while 2013 starts using HTTP over RPC, which probably allows us to better look into the packets. I am setting up some lab systems and want to test a little to see what is possible.

                       

                      Best,

                      Andre

                      • 8. Re: Malware scanning in RPC over http (Reverse-Proxy)
                        Troja

                        Hi Andre,

                        are there any new infos available how MWG can replace an TMG environment?

                        Best,

                        Thorsten

                        • 9. Re: Malware scanning in RPC over http (Reverse-Proxy)
                          krzysztof.anzorge

                          Hi,

                           

                          Do you have an example screen shoots or XML policy export how to do Reverse Proxy with RPC over HTTP is configured?

                          Do you use Next hop proxy? (like descibed in Web Gateway: Understanding Reverse Proxy) or other method?

                           

                          Thanks for any info.

                           

                          Best regards

                          Krzysztof.Anzorge

                          1 2 Previous Next