https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45959#M33770 <HTML><HEAD></HEAD><BODY><P>Do you have an Inbound NAT rule associated with the security policy? Untrust to Untrust for the zones, public facing ip for the destination address and then dnat it to your private ip address hosting the services in question.</P></BODY></HTML> Sat, 08 Oct 2011 20:22:42 GMT gswcowboy 2011-10-08T20:22:42Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45956#M33767 <HTML><HEAD></HEAD><BODY><P style="margin:0in;margin-bottom:.0001pt">I am trying to setup outlook web access (Exchange 2010) for my network.</P><P></P><P style="margin:0in;margin-bottom:.0001pt">Here is what I have done thus far:</P><P></P><P style="margin:0in;margin-bottom:.0001pt">Object -&gt; Addresses: Setup the internal address of the exchange server.</P><P style="margin:0in;margin-bottom:.0001pt">Policy -&gt; Security: Created a rule with the following data (Name: owa - Source Zone: untrusted - Address/User: any - Dest Zone: trusted - Dest Address: OWA - Dest Application: Outlook-web (factory defined) Dest Service: service-https (Factory Defined)</P><P></P><P style="margin:0in;margin-bottom:.0001pt">When I go to commit the changes I get this:</P><P></P><P style="margin:0in;margin-bottom:.0001pt">device: Rule 'OWA' application dependency warning:</P><P style="margin:0in;margin-bottom:.0001pt">- Application 'outlook-web' requires 'ssl' allowed in the policy</P><P style="margin:0in;margin-bottom:.0001pt">- Application 'outlook-web' requires 'web-browsing' allowed in the policy</P><P style="margin:0in;margin-bottom:.0001pt">Configuration committed successfully</P><P></P><P style="margin:0in;margin-bottom:.0001pt">Not sure what its telling me to do..</P><P></P><P style="margin:0in;margin-bottom:.0001pt">Thanks in advance</P><P style="margin:0in;margin-bottom:.0001pt">Wayne</P></BODY></HTML> Sat, 08 Oct 2011 12:37:47 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45956#M33767 WayneFusco 2011-10-08T12:37:47Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45957#M33768 <HTML><HEAD></HEAD><BODY><P>Never Mind - I figured it out..</P><P></P><P>Sweet!!!!</P></BODY></HTML> Sat, 08 Oct 2011 12:42:08 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45957#M33768 WayneFusco 2011-10-08T12:42:08Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45958#M33769 <HTML><HEAD></HEAD><BODY><P>Okay maybe not. </P><P></P><P>Dont know what needs to happen to connect from the outside world..</P></BODY></HTML> Sat, 08 Oct 2011 13:42:46 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45958#M33769 WayneFusco 2011-10-08T13:42:46Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45959#M33770 <HTML><HEAD></HEAD><BODY><P>Do you have an Inbound NAT rule associated with the security policy? Untrust to Untrust for the zones, public facing ip for the destination address and then dnat it to your private ip address hosting the services in question.</P></BODY></HTML> Sat, 08 Oct 2011 20:22:42 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45959#M33770 gswcowboy 2011-10-08T20:22:42Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45960#M33771 <HTML><HEAD></HEAD><BODY><P>Hi Thanks,</P><P></P><P>Can you break it down for me,</P><P></P><P>remember i am a newbee..</P><P></P><P>Here is the NAT policy I have</P><P></P><P>SZ: untrust DZ: trust DI: none SA: any DA: OWA ST: dyn ip &amp; port ether1/3 &amp; my pubic ip DT: address:owa port:433</P><P></P><P>Is this on the right track?</P></BODY></HTML> Sun, 09 Oct 2011 00:16:20 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45960#M33771 WayneFusco 2011-10-09T00:16:20Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45961#M33772 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For any incoming connection, the NAT policy shouldbe like this:</P><P></P><P>Original</P><P>SRC Zone: untrust, src IP: any </P><P>Dst Zone: untrust, dst IP: public IP of OWA</P><P></P><P>Translated:</P><P>Src IP: any any</P><P>Dst IP: private IP, Static IP</P><P></P><P>For security:</P><P></P><P>Src Zone: Untrust, src IP: any</P><P>Dst Zone: DMZ, dst IP: public IP</P><P>Application: SSL (as OWA is encrypted)</P><P></P><P>Regards,</P><P></P><P>Jones</P></BODY></HTML> Sun, 09 Oct 2011 11:15:44 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45961#M33772 jleung 2011-10-09T11:15:44Z https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45962#M33773 <HTML><HEAD></HEAD><BODY><P style="margin:0in;margin-bottom:.0001pt">- Application 'outlook-web' requires 'ssl' allowed in the policy - <SPAN style="color: #ff0000;"><STRONG>In your policy In services allow tcp-443</STRONG></SPAN></P><P style="margin:0in;margin-bottom:.0001pt">- Application 'outlook-web' requires 'web-browsing' allowed in the policy - <SPAN style="color: #ff0000;"><STRONG>In your policy In services allow tcp-80.</STRONG></SPAN></P><P></P><P style="margin:0in;margin-bottom:.0001pt">See if this helps.</P></BODY></HTML> Tue, 11 Oct 2011 13:46:21 GMT https://live.paloaltonetworks.com/t5/general-topics/newbee-needs-help/m-p/45962#M33773 kamish 2011-10-11T13:46:21Z