Jump to:navigation, search
Wiki

Exchange Server via Reverse Proxy

From Securepoint Wiki






















































































De.png
En.png
Fr.png

Reverse-Proxy OWA.png









Access to the OWA interface of a Microsoft Exchange Server

Last adaptation to the version: 12.6.0

New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications Reverse-Proxy
  • These instruction describes how to establish the use of the Outlook Web App via a browser with the reverse proxy.
  • This is no instruction to enable the access with Outlook to the Exchange Server.
  • For this, we recommend using a VPN connection.

    • Prerequisite

    The prerequisite for these guideline is a fully functional Exchange Server with already imported certificates, on which the Outlook on the web. Formerly known as Outlook Web App can be called up with a Port Forwarding.

    Preparations

    Certificate

    Since Outlook on the web. Formerly known as Outlook Web Ap can only be reached via an SSL-encrypted connection, a certificate is required. There are various possibilities for this:

    • A certificate from a public certification authority that is purchased.
    • An ACME certificate (e.g.: Let's encrypt) → Wiki for creation and management
    • A certificate created by the UTM itself
      The certificate management is located in the menu Authentication Certificates .

    If not already available, a CA (Certification Authority) must be created and then, based on this CA, the certificate for the domain.

    • Further information on creating and importing certificates can be found in the Wiki article Certificates.
  • It is important with this certificate that the Common Name is identical with the external domain.
    If the client calls the domain owa.ttt-point.de, as in our example, the name of the certificate must also be owa.ttt-point.de.
    If subdomains are available, such as web.ttt-point.de, a so-called wildcard certificate can also be created. In our example, this is *.ttt-point.de.



    • Packet filter rule

    # Source Destination Service NAT Action Active
    Dragndrop.png 16 World.svg internet Interface.svg external-interface Tcp.svg https Accept On
    • The OWA of the Exchange Server is to be accessed exclusively via the proxy of the UTM.
    • Therefore, only access to the network object external interface, which provides the proxy, may be permitted for https connections from the Internet.
    • There must be no port forwarding to this Exchange server.


    User Webinterface Port

    In the factory setting, port 443 for https is already occupied by the user web interface of the UTM. This must then be changed to another port.
    The settings for this are in the menu Network Server Settings  Area Server Settings in the section
    Webserver
    .     		Server options UTMuser@firewall.name.fqdnNetwork UTM v12.6 Reverse-Proxy Exchange Servereinstellungen-en.png
    User Webinterface Port: 443Link=  →  4443Link=
    Save
  • If necessary, packet filter rules that allow access to the user web interface must be adjusted.


    • IIS Settings

  • Since the reverse proxy does not forward NTLM authentication, only Basic/Standardauth must be active in the IIS settings of the Exchange Server so that the clients can reach the OWA interface of the Exchange Server.


    • Configuration

    The settings for the reverse proxy are located in the menu Applications Reverse-Proxy
    Clicking on the button Reverse-Proxy wizard opens the wizard.


    Wizard

    Caption Value Description
    Step 1 - Internal
    Target Server: Exchange Server If the host has already been created as a network object, it can be selected directly in the drop-down menu. Reverse-Proxy assistant UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange Assistent Schritt 1-en.pngTarget server already exists as a network object
    Port 443Link= Since the OWA of the Exchange can only be accessed via an encrypted connection, port 443 is selected.
    Use SSL: On SSL must be activated.
    Target Server: new server If the Exchange Server does not yet exist as a network object, it can be created via the selection point new server in the wizard. Reverse-Proxy assistant UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange Assistent Schritt 1b-en.pngTarget server does not yet exist as a network object
    Server Name: Exchange Server Name of the network object
    IP Address: 192.168.145.2/--- IP address of the Exchange Server
    Zone: dmz1 Zone of the network object
  • It is recommended to set up the server in its own network with its own zone.
    • Port 443Link= Since the OWA of the Exchange can only be accessed via an encrypted connection, port 443 is selected.
    Use SSL: On SSL must be activated.
    Next
    Step 2 - External
    External domain name: owa.ttt-point.de The mail domain (ttt-point.de) is entered with an additional subdomain (owa) through which a client may access the OWA.

  • The public IP address that the client calls up from the Internet can also be entered here. However, it is then not possible to distinguish further individual servers via additional subdomains.
    		•  UTM v12.6 Reverse-Proxy Exchange Assistent Schritt 2-en.png
    Konfiguration des externen Zugriffs, damit der Reverse-Proxy auf Anfragen reagiert
    Mode HTTPS Access shall be exclusively encrypted via https.
    SSL-Proxy Port: 443Link= The OWA is also to be addressed directly via the usual port 443 for https.
    SSL certificate: owa.ttt-point.de The certificate that was selected in the step Preparations is selected here.
    Next
    Step 3 - Authentication
    Forward authentication: Forward login (client & proxy) The proxy passes authentication to the Exchange Server or the OWA through UTM v12.6 Reverse-Proxy Exchange Assistent Schritt 3-en.png
    Authentication for access from the Internet
    Authentication: on Authentication is required
    Since the reverse proxy does not forward NTLM authentication, only Basic/Standardauth must be active in the IIS settings of the Exchange Server so that the clients can reach the OWA interface of the Exchange Server.
    Finish

    Customize ACL Set

    To ensure that only the OWA interface can be accessed and not the administration web interface of the Exchange Server (Exchange Control Panel / ECP), the ACL set must be extended:
    An additional ACL ensures that only /owa can be accessed.
    Applications Reverse-Proxy  Area ACL Sets acl-Exchange-Server Add ACL

    		Add ACL UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange ACL Set anpassen-en.pngNew ACL for OWA access
    Type urlpath_regex Restricts the URL path
    Argument: ^/owa Regular expressions (regex) are expected.

    Further paramaters in regex format are possible. However, these are not required for the Outlook Web App.

  • Use these parameters is at your own risk and is not recommended by Securepoint. Known security problems may occur, e.g. with ecp and PowerShell.
    If such services are required, an SSL VPN connection should be used.
    • ^/Autodiscover
    • ^/ecp
    • ^/EWS
    • ^/Exchange
    • ^/mapi
    • ^/Microsoft-Server-ActiveSync
    • ^/OAB
    • ^/PowerShell
    • ^/Rpc
    • ^/Exchweb
    • Additional parameters may be provided by Microsoft.
    Save and close
    		 Add ACL
    Save and close
    		 Save ACL set

    Certificate-based authentication

    In order to prevent unauthorised attackers from getting through to the Exchange Server (and its authentication) in the first place, Certificate-based authentication can be activated.
    The reverse proxy only forwards requests to the Exchange Server if a corresponding certificate is installed on the user's device.
    Enable certificate-based authentication:     		Reverse-Proxy UTMuser@firewall.name.fqdnApplications UTM v12.6 Reverse-Proxy Exchange Einstellungen mit SSL-CA-en.pngActivated certificate-based authentication
    SSL-CA CA-ttt-Point A certificate signed with the CA to be selected here must be installed on the user's device for this purpose.

  • Certificate-based authentication can not be used if access is also to be made with Outlook.
    For this purpose, we recommend access with a (SSL) VPN.


    • Overview

    The settings for this scenario must then look like this:

    Edit server group UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange Servergruppen-en.png
    Server group
    Edit ACL set UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange ACL-Sets-en.png
    ACL-Set
    Edit site UTMuser@firewall.name.fqdnApplicationsReverse-Proxy UTM v12.6 Reverse-Proxy Exchange Sites-en.png
    Sites
    Reverse-Proxy UTMuser@firewall.name.fqdnApplications UTM v12.6 Reverse-Proxy Exchange Einstellungen-en.png
    Options
    li class="list--element__alert list--element__warning">Only https should be used as the mode.












    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/APP/Reverse_Proxy-Exchange&oldid=94832"