[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] OWA 2000 behind https security server
Well there is a easy solution for this: 1. Setup a new URI definition (mailserver-uri). GENERAL/ *Connection type: Transparent *URI Match specification type: WildCard *Exeption track: log (recommended :-) MATCH/ *Schemes: http , others: * *Methods: Mark all of them. ACTION: Replace URI: https://youmailserver.com 2. Make a new rule something like this (translate the http-header connection to https): SRC DST SERVICE ACTION TRACK ANY MAILSERVER HTTP w/ RESOURCE mailserver-uri ACCEPT LONG then you need one rule to open up for SSL. SRC DST SERVICE ACTION TRACK ANY MAILSERVER HTTPS ACCEPT LONG ofcourse on your mailserver you need to change the default webroot from /exchange to / .. Its also possible to make the http-header translation in exchange 2000 but then you need to open up for port 80 to the webbserver and since its a M$ IIS server i wouldnt recommend that since many xploits only run over a normal http connection, so its better to let Fw-1 do the translation and only have tcp443 open to the mailserver. Cheerz! Regards Jonas -----Original Message----- From: Frank Breedijk [mailto:[email protected]] Sent: den 31 juli 2001 13:54 To: [email protected]; [email protected] Cc: Johan Pater (E-mail); Ton van Rijswijk; Walter de Neve Subject: [FW1] OWA 2000 behind https security server Dear all, We want to set up the following: ______ https _____ http _________ |Client|--------->|FW1|-------->|OWA 200| ~~~~~ ~~~~~ ~~~~~~~~ The client accesses an Outlook Web Access 2000 server as a virtual server on the firewall ( http://firewall.bla.com/owa <http://firewall.bla.com/owa> maps to http://intranet-name/ <http://intranet-name/> ) How ever, the OWA server passes some URLS back which are in the form of http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> . This would terminate the encrypted connection and will not work in our configuration. We found a MS knowledge base article which describes this: http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US <http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E XCH2K> &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E XCH2K CAUSE This problem is caused because the back-end server sometimes needs to send the client URLs to items, such as when the OWA client retrieves a list of messages in the inbox. When the client uses SSL to connect to the front-end server, the front-end server terminates the SSL connection and HTTP traffic between the front-end server and back-end server is in clear text. The front-end server notifies the back-end server that SSL was used so that when returning URLs, the back-end uses https:// instead of http://. The front-end server notifies the back-end server that SSL was used by passing in this HTTP header with each request: Front-End-Https: On When the back-end server receives this header in a request, it sends back https:// URLs instead of http:// when it responds. When there is a separate server between the client and front-end that terminates the SSL connection, it needs to be able to add this header to notify the front-end server that SSL was used so that the front-end can in turn notify the back-end. RESOLUTION To resolve this problem, configure the proxy server to add the following header on upstream requests when OWA SSL requests are received: Front-End-Https: On If the server cannot add this header, then you can also configure that server to re-initiate SSL between itself and the front-end. Although there is a performance hit for this, it ensures that the front-end server adds the header when it proxies the requests to the back-end server. Is there a way to add the mentioned header to the stream? Regards, Frank Breedijk ICT Security Officer T: +31 20 88 78 113 F: +31 20 88 78 101 M: +31 6 29 007 623 E: [email protected] http://www.interxion.com/ <http://www.interxion.com/> Interxion HeadQuarters BV Gyroscoopweg 144 1042 AZ Amsterdam The Netherlands where the internet lives ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|