05-02-2010 05:21 AM
Just upgraded to 3.1.0 from 3.0.6.
I had the following URL filtering profile that I used on an inbound rule with SSL decryption so that people could only connect to valid Exchange/Outlook Web Access URLs:
webmail.ourdomain.co.uk/favicon.ico
webmail.ourdomain.co.uk/Exchange
webmail.ourdomain.co.uk/Exchweb
webmail.ourdomain.co.uk/Microsoft-Server*
webmail.ourdomain.co.uk/OMA
webmail.ourdomain.co.uk/public
webmail.ourdomain.co.uk/rpc
When I upgraded that rule stopped working, which I found is because the wildcard syntax has changed in 3.1.
The issue is that it seems the PAN truncates the entire URL that is fed to the Exchange server so I can't filter on the full length virtual directory name which is /Microsoft-Server-Activesync, if I add that to my URL policy I see blocks in the URL logs for:
URL: webmail.ourdomain.co.uk/microsoft-server-activesync?user=joe&devic
URL: webmail.ourdomain.co.uk/microsoft-server-activedeviceid=imei35766301
05-03-2010 04:45 PM
In the change in 3.1.x wildcards need to be preceeded or followed by the following separators:
.
/
?
&
=
;
+
Every substring that is separated by the characters listed above is considered a token. A token can be any number of ASCII characters that does not contain any separator character or *. For example, the following patterns are valid:
*.yahoo.com (tokens are *, yahoo, and com)
www.*.com (tokens are www, *, and com)
www.yahoo.com/search=* (tokens are www, yahoo, com, search, * )
*webmail.ourdomain.co.uk/Microsoft-Server** is invalid because "*" is not the only character in the token ie "*webail" and "Server**". Without valid separators you filter won't work.
05-04-2010 12:35 AM
Thanks for the reply.
I had read that, the problem is that the PAN won't recognize the true URL it seems to truncate it.
The actual virtual Exchange directory would be "webmail.ourdomain.com/Microsoft-Server-Activesync" but if I enter that I see blocks because as per the log entry that I posted, the PAN seems to truncate the entire URL.
I could simply list webmail.ourdomain.com but the whole idea here is that I want to only allow access to the legitimate Outlook/Exchange Virtual Directories in IIS.
05-04-2010 11:37 AM
Its possible that this is a bug because it shouldn't be truncating. Please open a case with your support on this one.
05-05-2010 12:22 PM
Have done (Vadition). Presumably there are other customers using a PAN to reverse proxy Exchange/OWA? I can't imagine I'm trying to do anything unusual so if anyone's reading who is doing this, be interested to know your config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
