Zone to Zone for OWA/activesync?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zone to Zone for OWA/activesync?

L4 Transporter

Our users private devices are on a separate subnet/vlan and a separate PA zone using the Google DNS servers.  I have been forcing a captive portal in order to enable user ID for these devices.  This has been working fine.

I have set a rule so that these devices can access our exchange server via OWA/activesync by going out to the internet and hitting the external OWA IP address.  Problem is the User-IP mapping can't occur, except via captive portal, because of the NAT.

Is there any down side to:

  • Handing my internal DNS to the "private device" zone and then creating a rule so that the guest devices can do DNS resolution from my internal servers.
  • Allowing the "Private devices" to access my internal exchange server via a rule allowing zone to zone activesync/OWA?

In the old days (ports only) this would be unwise at best.  Given the ability to only allow by appid, it seems like a reasonable idea.

Special note:  The only devices on this "personal device" vlan/subnet are private devices owned by students which we would have at least a little bit of control over.

Any thought?



L3 Networker

Hi Bob,

I don't really have an answer for you, your policy should be what you need it to be.  I think your question begs others: Do you have different policies for different users?  If its a BYOD vlan and everyone gets outbound 80/443, is the UID relevant?  Do you want to get rid of the captive portal?

For me, I'm not sure I'd bother with it, just tie down the web services the way you want and call it good.  If your wifi environment supports it, you can use some sort of EAP to see the real UID behind the IP if anything interesting were to occur.

Sorry I didn't answer your question.



I guess I had an epiphany of sorts and wanted some verification.

Traffic between zones used to be a big negative.  With app level filtering, it seems it can be pretty darned safe.  Especially considering the applications I am talking about are published to the untrust zone anyway (activsync and OWA).  Currently the private devices are getting NATed and coming back in to do activesync.  Given appid publishing it seems rather silly to go through all of that AND Yes, you nailed it that I am interested in getting around the captive portal.  If they have activesync, and the IP is not NATed, I should be able to run rules  without captive portal.

So I guess your post, at least verified with me that it i not a "bad" idea....given Appid publishing rules and all I am letting is activesync.

Thanks for listening.


L6 Presenter

I believe you can allow the devices in the private zone to use your internal DNS servers and DMZ servers. If you are allowing these devices to reach internet via your PAN, I believe you do have some control over these devices ( unless you are giving internet access to unknown/unlimited number of devices  through your network) and you can identify the users using them via user-id agent. Also since you are allowing traffic based on applications this should not be a problem.


Sandeep T

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!