08-14-2011 05:46 AM
We have a Palo Alto in front of an Exchange 2010 CAS server.
The Palo Alto is in a back-to-back config with a "dumb" firewall in front of it that only allows port 443 inbound.
The Palo Alto has the SSL cert from the Exchange box on it, so does SSL inspection on all the inbound traffic.
My questions is, can anyone who has Exchange 2010 behind a Palo Alto confirm which apps I'd need to allow if I wanted to be a little smarter than simply allowing port 443 through as a service?
If I drill down using App-ID into the destination IP, over the last 7 days these are the apps/sessions that I see:
outlook-web 8,055
ms-exchange 6,678
msrpc 4,197
web-browsing
3,037
ssl 2,929
dns 224
rpc-over-http 37
webdav 29
unknown-tcp 25
insufficient-data 12
http-audio 10
http-proxy 2
Obviously many of those are expected, but equally some aren't.
I'm concerned that unless the list of apps is absolutely correct people will start to find obscure pieces of access to Exchange/Outlook stop working.
Thanks in advance.
08-23-2011 11:28 AM
The best way to find out what you need is to create a rule that allows traffic to from the mail server from trust to untrust. Then you can use the monitor tab to see all traffic passing through that Policy. Then you can allow just those applications.
I suspect the imprtant ones are these.
outlook-web 8,055
ms-exchange 6,678
web-browsing 3,037
ssl 2,929
dns 224
Steve Krall
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
