Decrypt Exchange traffic

Reply
Highlighted
L2 Linker

Decrypt Exchange traffic

Hi,

 

I´m trying out decrypting traffic to and from our Exchange server. When decrypting incomming traffic the application change from SSL to what ever is in there. ie ms-exchange, outlook-web, rpc-over-http etc. Now for clients to be able to connect I need to allow all theese applications instead of only SSL. Would this potentially present more of a risk than to not decrypt the traffic at all?

 

Please share youre thoughts on this.

 

//Mikael


Accepted Solutions
Highlighted
L7 Applicator

Re: Decrypt Exchange traffic

Hi Mikael

 

yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.

The server should be configured to reject non-encrypted connections on these ports.

 

Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.

If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked. 

 

 

regards

Tom

reaper - PANgurus.com
I drink and I know things

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Decrypt Exchange traffic

Hi Mikael

 

Ideally you would create a security policy that not only allows the applications but also restricts the "tuples" eg. source and destination zones, ip's and ports

 

you could select to set a service to restrict all traffic to only the ssl ports used by your exchange (usually 443 and possibly 993 for imap ssl) which will limit the "cleartext" applications to connect to their ssl ports only. performing ssl decryption will allow you to detect attacks and infected traffic which will help protect your exchange far better than only allowing pure ssl

 

you'll want to manually create service objects instead of using "application default", as that would allow traffic on the default ports which you don't need in this scenario:

2015-09-18_11-50-19.png

 

 

regards

Tom

 

 

reaper - PANgurus.com
I drink and I know things
Highlighted
L2 Linker

Re: Decrypt Exchange traffic

Hi,

 

Yes, I did set the zones and public IP of Exchange server. I did notice that using application default in our environment didn´t work since web-browing is only allowed on port 80 by default and we do a redirect to HTTPS. So for the test I used 'any' for service which I would restrict if I decide on implementing this. But you would say that decrypting this traffic and allowing those applications is better(=safer) than just letting it pass through as SSL?

 

Thank you for you input on this.

 

//Mikael

Highlighted
L7 Applicator

Re: Decrypt Exchange traffic

Hi Mikael

 

yes, if you first restrict the service ports to a custom set of allowed ports (443 etc), this will restrict what kind of connections can be received.

The server should be configured to reject non-encrypted connections on these ports.

 

Decrypting the flow and allowing the applications will enable you to control application behavior through AppID (abnormal/unexpected behavior should cause the session to be dropped), it will also enable Threat Protection for this inbound flow, making sure no malicious code or files are being transmitted at your server, you can even apply URL filtering or DLP profiles.

If the flow is left encrypted the firewall cannot inspect for threats inside of the ssl tunnel and your server could be attacked. 

 

 

regards

Tom

reaper - PANgurus.com
I drink and I know things

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!