topic Zone to Zone for OWA/activesync? in General Topics

Zone to Zone for OWA/activesync?

BobW — Sun, 16 Dec 2012 07:28:19 GMT

Our users private devices are on a separate subnet/vlan and a separate PA zone using the Google DNS servers. I have been forcing a captive portal in order to enable user ID for these devices. This has been working fine.

I have set a rule so that these devices can access our exchange server via OWA/activesync by going out to the internet and hitting the external OWA IP address. Problem is the User-IP mapping can't occur, except via captive portal, because of the NAT.

Is there any down side to:

Handing my internal DNS to the "private device" zone and then creating a rule so that the guest devices can do DNS resolution from my internal servers.
Allowing the "Private devices" to access my internal exchange server via a rule allowing zone to zone activesync/OWA?

In the old days (ports only) this would be unwise at best. Given the ability to only allow by appid, it seems like a reasonable idea.

Special note: The only devices on this "personal device" vlan/subnet are private devices owned by students which we would have at least a little bit of control over.

Any thought?

Bob

Re: Zone to Zone for OWA/activesync?

msullivan — Mon, 17 Dec 2012 22:56:26 GMT

Hi Bob,

I don't really have an answer for you, your policy should be what you need it to be. I think your question begs others: Do you have different policies for different users? If its a BYOD vlan and everyone gets outbound 80/443, is the UID relevant? Do you want to get rid of the captive portal?

For me, I'm not sure I'd bother with it, just tie down the web services the way you want and call it good. If your wifi environment supports it, you can use some sort of EAP to see the real UID behind the IP if anything interesting were to occur.

Sorry I didn't answer your question.

Cheers,

Mike

Re: Zone to Zone for OWA/activesync?

BobW — Tue, 18 Dec 2012 01:42:18 GMT

I guess I had an epiphany of sorts and wanted some verification.

Traffic between zones used to be a big negative. With app level filtering, it seems it can be pretty darned safe. Especially considering the applications I am talking about are published to the untrust zone anyway (activsync and OWA). Currently the private devices are getting NATed and coming back in to do activesync. Given appid publishing it seems rather silly to go through all of that AND Yes, you nailed it that I am interested in getting around the captive portal. If they have activesync, and the IP is not NATed, I should be able to run rules without captive portal.

So I guess your post, at least verified with me that it i not a "bad" idea....given Appid publishing rules and all I am letting is activesync.

Thanks for listening.

bob

Re: Zone to Zone for OWA/activesync?

sdurga — Tue, 18 Dec 2012 02:41:41 GMT

I believe you can allow the devices in the private zone to use your internal DNS servers and DMZ servers. If you are allowing these devices to reach internet via your PAN, I believe you do have some control over these devices ( unless you are giving internet access to unknown/unlimited number of devices through your network) and you can identify the users using them via user-id agent. Also since you are allowing traffic based on applications this should not be a problem.

Thanks,

Sandeep T