Best practice for OWA and OMA

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Best practice for OWA and OMA

L1 Bithead


I'm getting rid of our old ISA server which we used to expose OWA and OMA and want to use our PA-500 to allow domain users access to OWA and OMA (for their iPads etc).

I've noticed that the application 'Outlook-web' is used for OWA and its dependancies are SSL (understandable) and Web-Browsing (not so understandable but it must be needed otherwise it wouldn't be a dependancy).

I'm going to look at loading the SSL certificate we use onto the PA-500 so it can decrypt the data but what else should I be looking at doing to provide maximum protection to the Exchange server (we just have one Exchange server that runs the CAS, HUB and Databses)? Any best practices?

Many thanks for reading and any help or advise would be really appreciated.

Edit:- we are using PAN-OS 4.1.7




L4 Transporter

Hi Alan,

In PAN-OS 5.0 the app dependencies are handled differently than previous versions.  You can now specify the application you want and the dependencies will automatically be temporarily enabled at the beginning of the session until your desired app has begun or App-ID gives up after a few packets.  This will block most unauthorized web browsing attempts (depending on how many packets are allowed before the web-browsing dependency is exhausted)

In PAN-OS 4.1 and below you can use a URL filtering profile to really lock down the config (you can still do this in PAN-OS 5.0, too).  Turn on a URL filtering profile (this works whether you have the URL database subscription or not) and set to alert on * in the block list.  Then check the logs to see what URLs OWA is using and add those to the URL allow list and set the block list to block.



Hi Kelly

Thanks for the reply.

I'm looking at the URL filtering now and hope to have something working by Monday (I've already got it working but just want to fine tune it a bit).

Interesting information on PAN-OS 5.0 and I'm going to bring my upgrade to the latest version forward a bit to take advantage of the new features.

Once again, thanks for the help.



L4 Transporter

With ISA you could establish the SSL connection with the firewall and have the firewall attach to the Exchange server for the client.  I don't think an SSL cert on the PA is useful for publishing OWA/activeyns as the clients will be passed on directly to the Exchange server.


PS please correct me if I am wrong.

Correct. The one think that the firewall won't do is 'publish' OWA in the sense that ISA does (its not a reverse proxy in that sense). However, with the SSL cert the firewall can decrypt the data as it passes by to ensure there are no hidden nasties.

Also with what Kelly mentioned, you can control what web sites are being hit to ensure only the ones you want to publish (again not in the ISA sense) are the only ones available - still trying to get the fine control working.

I will admit, I still get a warm fuzzy feeling publishing OWA/OMA via ISA as its not exposing the Exchange server directly to the big bad web but then again its using ISA and comparing that to our PA-500 its obvious the Pa-500 is in a different league....



  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!