Exchange 2010 - Applications Required?

networkadmin — Sun, 14 Aug 2011 12:46:17 GMT

We have a Palo Alto in front of an Exchange 2010 CAS server.

The Palo Alto is in a back-to-back config with a "dumb" firewall in front of it that only allows port 443 inbound.

The Palo Alto has the SSL cert from the Exchange box on it, so does SSL inspection on all the inbound traffic.

My questions is, can anyone who has Exchange 2010 behind a Palo Alto confirm which apps I'd need to allow if I wanted to be a little smarter than simply allowing port 443 through as a service?

If I drill down using App-ID into the destination IP, over the last 7 days these are the apps/sessions that I see:

outlook-web 8,055

ms-exchange 6,678

msrpc 4,197

web-browsing

3,037

ssl 2,929

dns 224

rpc-over-http 37

webdav 29

unknown-tcp 25

insufficient-data 12

http-audio 10

http-proxy 2

Obviously many of those are expected, but equally some aren't.

I'm concerned that unless the list of apps is absolutely correct people will start to find obscure pieces of access to Exchange/Outlook stop working.

Thanks in advance.

Re: Exchange 2010 - Applications Required?

skrall — Tue, 23 Aug 2011 18:28:24 GMT

The best way to find out what you need is to create a rule that allows traffic to from the mail server from trust to untrust. Then you can use the monitor tab to see all traffic passing through that Policy. Then you can allow just those applications.

I suspect the imprtant ones are these.

outlook-web 8,055

ms-exchange 6,678

web-browsing 3,037

ssl 2,929

dns 224

Steve Krall

topic Re: Exchange 2010 - Applications Required? in General Topics

Exchange 2010 - Applications Required?

Re: Exchange 2010 - Applications Required?