Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Filtering Microsoft Exchange Server services [Outlook Anywhere, ActiveSync, OWA]

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Filtering Microsoft Exchange Server services [Outlook Anywhere, ActiveSync, OWA]

L2 Linker

We are using Exchange 2013 and have the Palo Alto allowing https access to it so our users can use OWA and ActiveSync.  We recently discovered that users can also connect an Outlook client to our Exchange server from anywhere (no VPN needed) as long as they have a valid mailbox and password.  We do not want this to be allowed but don't want to block access to OWA/ActiveSync.  Is it possible to filter certain aspects of access to our Exchange server and not others using our Palo Alto firewall? 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

I am running into a similar issue with a different product, email related. The PAN cannot differentiate unless it is performing the ssl decrypt function inbound. After that the PAN would be able to see the 'outlook' traffic. The other option would be on the exchange side, disable outlook anywhere.

 

Hope this helps.

It does help.  Thank You.  If i may ask, is it possible to decrypt the SSL traffic? and if so, is it a big deal to do so?  Are there any downsides in terms of performance or security risk? 

 

Re: disabling Outlook Anywhere.  I thought the same thing but we need it enabled internally.  Exchange 2013 doesn't seem to have a way to disable it for just external use.

Hello,

Yes the PAN can decrypt the ssl traffic, for what you are looking for, use the search term 'reverse proxy'. This should guide you. You will need access to the current ssl cert the exchange server uses otherwise there will be errors on the end user side etc. It would be to your advantage to test this during a maintenance period in case of errors, etc.

 

As for 'is it a big deal', it can be but it could also be simple. Unfortunatly it depends on your environment.

 

There will be some performance hit, but that depends on the model of PAN you have and the amount of traffic. After you implment it, watch the 'Dashboard, tab for the performance of the CPU.

 

As far as security risk, I think you would be increasing security not decreasing it. right now if email is sent into your organization via ssl/tls, the PAN cannot scan it. If you start to decryot that traffic, the PAN can use all its reasources to scan for malicious file attachments, etc.

 

Hope this helps!

Did anyone ever actually do this and implement it?

@Daniel_Drumm,

Which one exactly are you talking about; disabling Outlook Anywhere, decrypting SSL traffic? Either one is rather simple to implement in the majority of enviroments. 

We eventually were able to start decrypting SSL traffic, but we did not attempt to use the PA firewall to block Outlook clients from connecting to mailboxes. It just hasn't gotten priority attention.   I had to leave Outlook Anywhere enabled for internal stuff to work.  So basically, we never solved this issue.

  • 6874 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!