I would like to set up an test environment using Exchange Active Sync. I believe the best way to accomplish this is to forward proxy the request and use SSL decryption but I was curious if anyone has examples or guidance on this. Thanks again.
currently we do not have any customer facing documents regarding active sync. But the configuration is
very straight forward. Allow active sync is the same as allowing any other application.
There are a couple of things to keep in mind:
1.We are able to identify active sync but since this traffic can be encrypted, you will need to configure ssl decrypt in order for the Pan device to detect the active sync traffic...otherwise we will just see it as ssl.....So you are correct and on the right path when you mention using ssl decryption.
2. By default we will allow active sync on ports 80 and 443, but it is possible that the mail server looks for active sync traffic on a different port. Thus you will need to either allow active sync on any port or create a service object that includes all of the ports that you know active sync is on and add the service object to the policy.
3. Keep in mind that your mobile device will be in the cloud and thus making connections to the mail server which will be behind the firewall will probably require a destination NAT rule. Thus create one.
If you have any other questions regarding this or if you need help with doing any of the above, feel free to call into support.
yes..no problem. Can you give me an idea of what you topology is or will be.
I assume that you have a phone that you have configured to point to your mail server for active sync.
Is this the case?
I need to know what zone your phone will be in and what zone you mail server will be.
You will need to allow ssl on the security policy that you have configured for active sync and you may need to allow imap.
Also you may need a destination NAT rule depending on what zone your phone is in.
Can you help me understand how far you are in the configuration and at what is the exact issue you are having trouble with.
Hello my phone will be in the untrust zone and my mail server will be in the trusted zone. I currently don't use IMAP but have been contemplating using it. The SSL decryption will also be enable for this security policy. Thanks for your help with this issue.
What I did, and I'm happy to be told it's not "best practise" but it works for us is:
Uploaded our website cert to the PAN for the reverse proxy.
Created an SSL inspection policy.
Created a rule that allows the https service to our exchange server.
On that rule I applied a URL filtering policy that only allows the Exchange virtual directories to that server.
Hey there sounds like something I could consider. Do you have the ability to monitor webmail traffic? Sometimes I have to troubleshoot by looking at firewall logs when users call and metion their phones are not syncing.
The Paloalto device will need a copy of the internal server certificate and key. This will need to be loaded in the following section of the Pan:
device tab, certificates, ssl vpn/ssl inbound instpection certificate.
You can get some guidance in doing this by logging into knowledge point and going to the following document:
....in case you want to search for it, the title of the document is "Loading IIS SSL Certificates in Panos"
Once the ssl server certificate is loaded on the Pan device, you can configure the ssl decryption policy for the inbound traffic. For the ssl decrypt policy you can use the source zone as untrust and the destination zone as untrust. Make the destination address the address of the the server and the category as "any" to decrypt. Make sure and use the certificate that you loaded onto the Pan device for ssl inbound inspection in the certificate column.
Then set up a security policy from untrust to trust, leave the source address as any, use the ip of the server in the destination address, use imap as the application (if that is the applicaiton that you choose to use), leave the service is any for now, add virus, spyware and vulnerability profiles if want additional protection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!