Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] OWA 2000 behind https security server

To: "'Frank Breedijk'" <[email protected]>, [email protected], [email protected]
Subject: RE: [FW1] OWA 2000 behind https security server
From: Jonas Thambert <[email protected]>
Date: Wed, 1 Aug 2001 13:00:33 +0200
Cc: "Johan Pater (E-mail)" <[email protected]>, Ton van Rijswijk <[email protected]>, Walter de Neve <[email protected]>, "Patrik Lehtihet ([email protected])" <[email protected]>
Sender: [email protected]

Well there is a easy solution for this:

1. Setup a new URI definition (mailserver-uri).
	GENERAL/
	*Connection type: Transparent
	*URI Match specification type: WildCard
	*Exeption track: log (recommended :-)
	MATCH/
	*Schemes: http , others: *
	*Methods: Mark all of them.
	ACTION:
	Replace URI: https://youmailserver.com

2. Make a new rule something like this (translate the http-header connection
to https):
	SRC	DST		SERVICE
ACTION	TRACK	 
	ANY	MAILSERVER 	HTTP	w/ RESOURCE	mailserver-uri
ACCEPT	LONG

	then you need one rule to open up for SSL.

	SRC	DST		SERVICE	ACTION	TRACK
	ANY	MAILSERVER	HTTPS		ACCEPT	LONG

ofcourse on your mailserver you need to change the default webroot from
/exchange to / ..

Its also possible to make the http-header translation in exchange 2000 but 
then you need to open up for port 80 to the webbserver and since its a
M$ IIS server i wouldnt recommend that since many xploits only run over a
normal 
http connection, so its better to let Fw-1 do the translation and only have
tcp443
open to the mailserver. 

Cheerz!

Regards Jonas

	





-----Original Message-----
From: Frank Breedijk [mailto:[email protected]] 
Sent: den 31 juli 2001 13:54
To: [email protected];
[email protected]
Cc: Johan Pater (E-mail); Ton van Rijswijk; Walter de Neve
Subject: [FW1] OWA 2000 behind https security server



Dear all,

 
We want to set up the following:
 
______  https _____  http  _________
|Client|--------->|FW1|-------->|OWA 200|
~~~~~          ~~~~~         ~~~~~~~~
 
The client accesses an Outlook Web Access 2000 server as a virtual server on
the firewall ( http://firewall.bla.com/owa <http://firewall.bla.com/owa>
maps to http://intranet-name/ <http://intranet-name/> )
 
How ever, the OWA server passes some URLS back which are in the form of
http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> .
 
This would terminate the encrypted connection and will not work in our
configuration.
 
We found a MS knowledge base article which describes this:
 
http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US
<http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US
&SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E
XCH2K>
&SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E
XCH2K
 

CAUSE


This problem is caused because the back-end server sometimes needs to send
the client URLs to items, such as when the OWA client retrieves a list of
messages in the inbox. When the client uses SSL to connect to the front-end
server, the front-end server terminates the SSL connection and HTTP traffic
between the front-end server and back-end server is in clear text. The
front-end server notifies the back-end server that SSL was used so that when
returning URLs, the back-end uses https:// instead of http://. The front-end
server notifies the back-end server that SSL was used by passing in this
HTTP header with each request: 


Front-End-Https: On 

When the back-end server receives this header in a request, it sends back
https:// URLs instead of http:// when it responds. When there is a separate
server between the client and front-end that terminates the SSL connection,
it needs to be able to add this header to notify the front-end server that
SSL was used so that the front-end can in turn notify the back-end. 



RESOLUTION


To resolve this problem, configure the proxy server to add the following
header on upstream requests when OWA SSL requests are received: 


Front-End-Https: On 

If the server cannot add this header, then you can also configure that
server to re-initiate SSL between itself and the front-end. Although there
is a performance hit for this, it ensures that the front-end server adds the
header when it proxies the requests to the back-end server. 

 
 
Is there a way to add the mentioned header to the stream?
 
Regards, 
Frank Breedijk
ICT Security Officer

T: +31 20 88 78 113
F: +31 20 88 78 101
M: +31 6 29 007 623
E: [email protected]
http://www.interxion.com/ <http://www.interxion.com/> 

Interxion HeadQuarters BV
Gyroscoopweg 144
1042 AZ  Amsterdam
The Netherlands

where the internet lives  



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Mailserver Behind Firewall
Next by Date: [FW1] Blank screen when do search on workstation that are behind the firewall
Previous by thread: RE: [FW1] Mailserver Behind Firewall
Next by thread: [FW1] Blank screen when do search on workstation that are behind the firewall
Index(es):
- Date
- Thread