https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64797#M38782 <P>Hi Mikael</P> <P>&nbsp;</P> <P>yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.</P> <P>The server should be configured to reject non-encrypted connections on these ports.</P> <P>&nbsp;</P> <P>Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.</P> <P>If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Tom</P> Fri, 18 Sep 2015 14:20:00 GMT reaper 2015-09-18T14:20:00Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64776#M38767 <P>Hi,</P><P>&nbsp;</P><P>I´m trying out decrypting traffic to and from our Exchange server. When decrypting incomming traffic the application change from SSL to what ever is in there. ie ms-exchange, outlook-web, rpc-over-http etc. Now for clients to be able to connect I need to allow all theese applications instead of only SSL. Would this potentially present more of a risk than to not decrypt the traffic at all?</P><P>&nbsp;</P><P>Please share youre thoughts on this.</P><P>&nbsp;</P><P>//Mikael</P> Fri, 18 Sep 2015 08:17:27 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64776#M38767 mgusta 2015-09-18T08:17:27Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64780#M38770 <P>Hi Mikael</P> <P>&nbsp;</P> <P>Ideally you would create a security policy that not only allows the applications but also restricts the "tuples" eg. source and destination zones, ip's and ports</P> <P>&nbsp;</P> <P>you could select to set a service to restrict all traffic to only the ssl ports used by your exchange (usually 443 and possibly 993 for imap ssl) which will limit the "cleartext" applications to connect to their ssl ports only. performing ssl decryption will allow you to detect attacks and infected traffic which will help protect your exchange far better than only allowing pure ssl</P> <P>&nbsp;</P> <P>you'll want to manually create service objects instead of using "application default", as that would allow traffic on the default ports which you don't need in this scenario:</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/382i5C38B7F3B4505F95/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="2015-09-18_11-50-19.png" title="2015-09-18_11-50-19.png" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Tom</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 18 Sep 2015 09:52:29 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64780#M38770 reaper 2015-09-18T09:52:29Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64782#M38771 <P>Hi,</P><P>&nbsp;</P><P>Yes, I did set the zones and public IP of Exchange server. I did notice that using application default in our environment didn´t work since web-browing is only allowed on port 80 by default and we do a redirect to HTTPS. So for the test I used 'any' for service which I would restrict if I decide on implementing this. But you would say that decrypting this traffic and allowing those applications is better(=safer) than just letting it pass through as SSL?</P><P>&nbsp;</P><P>Thank you for you input on this.</P><P>&nbsp;</P><P>//Mikael</P> Fri, 18 Sep 2015 10:25:55 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64782#M38771 mgusta 2015-09-18T10:25:55Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64797#M38782 <P>Hi Mikael</P> <P>&nbsp;</P> <P>yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.</P> <P>The server should be configured to reject non-encrypted connections on these ports.</P> <P>&nbsp;</P> <P>Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.</P> <P>If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>regards</P> <P>Tom</P> Fri, 18 Sep 2015 14:20:00 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-exchange-traffic/m-p/64797#M38782 reaper 2015-09-18T14:20:00Z