01-27-2016 07:40 AM
We are using Exchange 2013 and have the Palo Alto allowing https access to it so our users can use OWA and ActiveSync. We recently discovered that users can also connect an Outlook client to our Exchange server from anywhere (no VPN needed) as long as they have a valid mailbox and password. We do not want this to be allowed but don't want to block access to OWA/ActiveSync. Is it possible to filter certain aspects of access to our Exchange server and not others using our Palo Alto firewall?
01-27-2016 08:43 AM
Hello,
I am running into a similar issue with a different product, email related. The PAN cannot differentiate unless it is performing the ssl decrypt function inbound. After that the PAN would be able to see the 'outlook' traffic. The other option would be on the exchange side, disable outlook anywhere.
Hope this helps.
01-27-2016 08:55 AM
It does help. Thank You. If i may ask, is it possible to decrypt the SSL traffic? and if so, is it a big deal to do so? Are there any downsides in terms of performance or security risk?
Re: disabling Outlook Anywhere. I thought the same thing but we need it enabled internally. Exchange 2013 doesn't seem to have a way to disable it for just external use.
01-27-2016 09:02 AM
Hello,
Yes the PAN can decrypt the ssl traffic, for what you are looking for, use the search term 'reverse proxy'. This should guide you. You will need access to the current ssl cert the exchange server uses otherwise there will be errors on the end user side etc. It would be to your advantage to test this during a maintenance period in case of errors, etc.
As for 'is it a big deal', it can be but it could also be simple. Unfortunatly it depends on your environment.
There will be some performance hit, but that depends on the model of PAN you have and the amount of traffic. After you implment it, watch the 'Dashboard, tab for the performance of the CPU.
As far as security risk, I think you would be increasing security not decreasing it. right now if email is sent into your organization via ssl/tls, the PAN cannot scan it. If you start to decryot that traffic, the PAN can use all its reasources to scan for malicious file attachments, etc.
Hope this helps!
09-07-2017 10:36 AM
Did anyone ever actually do this and implement it?
09-07-2017 12:22 PM
Which one exactly are you talking about; disabling Outlook Anywhere, decrypting SSL traffic? Either one is rather simple to implement in the majority of enviroments.
09-08-2017 11:55 AM
We eventually were able to start decrypting SSL traffic, but we did not attempt to use the PA firewall to block Outlook clients from connecting to mailboxes. It just hasn't gotten priority attention. I had to leave Outlook Anywhere enabled for internal stuff to work. So basically, we never solved this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
