SonicOS: Advanced Outlook Web Access (OWA) Configuration with ... http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=35...

Question/Topic

SonicOS: Advanced Outlook Web Access (OWA) Configuration with Exchange across SonicWALL Firewall

Answer/Article

Background

The Microsoft Exchange system features several components which must be able to communicate in order
for the entire system to function properly. The Microsoft Exchange components and firewalls such as the
SonicWALL must all be configured to provide network security while allowing this important
communication to take place across the network.

Microsoft Exchange often involves the implementation of a front-end and a back-end server. The
front-end server provides users with options such as Outlook Mobile Access and Outlook Web Access to
facilitate access to calendars, contacts and e-mail through a web browser. This server must be made
reachable by all users with the proper credentials using a standard web browser; thus, it must be able to
accept HTTP and HTTPS traffic from anywhere on the Internet.

The back-end server is the workhorse of the system, performing functions such as sending and receiving
e-mail, storing calendar and contact data, serving Microsoft Outlook clients on its LAN and much more.
This server should not be made available to all Internet users for security reasons. Only LAN users and
those connected through a secured VPN tunnel should be permitted direct access using the Outlook client.
All others should be directed through the front-end server using Outlook Web Access. The back-end server
does require inbound and outbound access for certain protocols from the Internet in order to perform its
functions. This involves the creation of firewall access rules and NAT (network address translation) policies
to permit and translate SMTP (TCP port 25) traffic to and from the back-end server.

Both the front-end and back-end servers must also be able to communicate with a third component in
order to authenticate users. This component is the Active Directory (AD) server, also sometimes known
as a domain controller (DC). While the back-end server should be able to easily communicate with the AD
server on the LAN side of the firewall, it is necessary to create the access rules to permit and translate
several ports and protocols between the front-end and back-end servers. It is also necessary to modify
the System Registry of the back-end server to use fixed rather than dynamic port numbers to handle
some Active Directory traffic.

Microsoft Knowledge Base Article

This document relies heavily on the information contained in the Microsoft Knowledge Base article entitled
Microsoft Exchange Static Port Mappings found at http://support.microsoft.com/kb/270836/en-us. It is
highly recommended that you thoroughly review and understand the content in this article before
implementing your Microsoft Exchange system across the SonicWALL.

Scenario

We must make a number of reasonable assumptions in order to effectively describe the implementation
of a Microsoft Exchange system across the SonicWALL. If your network varies, please adjust these
instructions as needed. The following configuration is assumed:

• The Microsoft Exchange front-end server is connected to the SonicWALL’s DMZ in transparent mode with
a public IP address.

• The Microsoft Exchange back-end server is connected to the SonicWALL’s LAN with a static private IP
address assigned.

• The Active Directory server is connected to the SonicWALL’s LAN with a static private IP address
assigned.

• You are familiar with the basic operation of both the Microsoft Exchange system and the SonicWALL.

• The SonicWALL is running SonicOS Standard or Enhanced firmware.

• The SonicWALL’s OPT interface or DMZ is configured in transparent mode using the WAN public IP
address.

• The SonicWALL’s WAN has been assigned at least two static public IP addresses: one for the SonicWALL

1 von 4 30.03.2011 23:43

SonicOS: Advanced Outlook Web Access (OWA) Configuration with ... http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=35...

and one for the Microsoft Exchange front-end server.

• Static private IP addresses have been assigned behind the SonicWALL for the Active Directory server
and the Microsoft Exchange back-end server.

Domain Controller System Registry Modification to Statically Map Port

In order to enable the front-end server to authenticate against one or more Active Directory servers or
domain controllers, it is necessary to modify the System Registry on each such server to statically map
the Active Directory logon and directory replication interface service to a specific port number. We will
map this to port 5000 for this scenario, though a different number may need to be chosen if 5000
represents a conflict on your AD server. Follow these steps to modify the Registry:

1. Start Registry Editor.

2. Select the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

\NTDS\Parameters

3. Add the following registry value:

Value name: TCP/IP Port

Value type: REG_DWORD
Base: Decimal
Value: A value that is more than 1024

4. If you are able to follow the example exactly, use 5000 as the value for this Registry key.

5. Exit the Registry Editor.

Note: Use extreme caution when editing your System Registry and refer to the previously indicated
Microsoft Knowledge Base article for additional information.

Configure the SonicWALL

Now that the Active Directory server(s) have been configured to accept AD logons through a static port
number, it is time to configure the SonicWALL to permit and translate the needed traffic.

Configuring SonicOS Standard

Follow these steps to enable your firewall running SonicOS Standard to permit and translate the required
traffic from the front-end Exchange server on the DMZ to the Active Directory and back-end Exchange
server on the LAN:

1. On the SonicWALL, select Firewall > Services > Add.

2. Create a service for each of the ports and protocols below, naming each service “Exchange”:

TCP 53
UDP 53
TCP 80
TCP 88
UDP 88
TCP 135
TCP 389
UDP 389
TCP 445
TCP 3268
TCP 5000
UDP 5000

3. On the Firewall > Access Rules page, create a firewall rule as follows to allow HTTP traffic inbound to
the front-end server on the DMZ:

Action: Allow
Service: HTTP
Source: Any
Destination interface: OPT
Destination address: [front-end server’s DMZ public IP address]

4. On the Firewall > Access Rules page, create a firewall rule as follows to allow HTTPS traffic inbound to

2 von 4 30.03.2011 23:43

SonicOS: Advanced Outlook Web Access (OWA) Configuration with ... http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=35...

the front-end server on the DMZ:

Action: Allow
Service: HTTPS
Source: Any
Destination interface: OPT
Destination address: [front-end server’s DMZ public IP address]

5. Now, create another firewall access rule allowing the previously defined “Exchange” service to pass
inbound from the front-end server to the back-end Exchange server:

Action: Allow
Source Interface: OPT
Source Address: [front-end server’s DMZ public IP address]
Destination Interface: LAN
Destination Address: [back-end server’s LAN IP address]

6. Create one more firewall access rule similar to the one above, allowing the same “Exchange” traffic
from the front-end server’s DMZ address to the destination LAN IP address of the Active Directory server.

Perform the following steps to test and troubleshoot this completed implementation:

1. Connect with the front-end server’s DMZ IP address from a machine on the WAN and log in to Outlook
Web Access.

2. Test your ability to read and write e-mail and perform all other OWA functions as configured on your
Exchange server.

3. If “page cannot be displayed” is shown, check the firewall access rules and log on the SonicWALL for
packets being dropped at the DMZ.

4. If login fails or other issues are observed after reaching the Outlook Web Access web page, check
firewall rules and log for packets being dropped on the LAN.

Configuring SonicOS Enhanced

Follow these steps to enable your firewall running SonicOS Enhanced to permit and translate the required
traffic from the front-end Exchange server on the DMZ to the Active Directory and back-end Exchange
server on the LAN:

1. Select the Network > Address Objects > Add a new address object page and create the following host
objects: frontend_dmz – IP address of the front-end Exchange server connected to the DMZ. backend_lan
– IP address of the back-end Exchange server on the LAN. ad_lan – IP address of the Active Directory
server on the LAN.

2. Select Firewall > Services > Add new service object and create the following new services:

LDAP_Global_Catalog - TCP 3268

AD_Logon_TCP - TCP 5000
AD_Logon_UDP - UDP 5000

3. Select Firewall > Services > Add new service group and create a group named Exchange containing the
following service objects as members:

LDAP_Global_Catalog
AD_Logon_TCP
AD_Logon_UDP
DNS
DCE EndPoint
LDAP
Kerberos
TCP Kerberos
UDP SMB

4. On the Firewall > Access Rules page, create a WAN to DMZ firewall rule as follows to allow HTTP traffic
inbound to the front-end server on the DMZ:

Action: Allow
Service: HTTP
Source: Any

3 von 4 30.03.2011 23:43

SonicOS: Advanced Outlook Web Access (OWA) Configuration with ... http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=35...

Destination zone: DMZ

Destination address: frontend_dmz

5. On the Firewall > Access Rules page, create a WAN to DMZ firewall rule as follows to allow HTTPS
traffic inbound to the front-end server on the DMZ:

Action: Allow
Service: HTTPS
Source: Any
Destination Zone: DMZ
Destination address: frontend_dmz

6. Now, create a DMZ to LAN firewall access rule allowing the previously defined “Exchange” service group
to pass inbound from the front-end server to the back-end Exchange server:

Action: Allow
Source Interface: OPT
Source Address: [front-end server’s DMZ public IP address]
Destination Interface: LAN
Destination Address: [back-end server’s LAN IP address]

7. Create one more DMZ to LAN firewall access rule similar to the one above, allowing the same
“Exchange” traffic from the front-end server’s DMZ address to the destination LAN IP address of the Active
Directory server.

Perform the following steps to test and troubleshoot this completed implementation:

1. Connect with the front-end server’s DMZ IP address from a machine on the WAN and log in to Outlook
Web Access.

2. Test your ability to read and write e-mail and perform all other OWA functions as configured on your
Exchange server.

3. If “page cannot be displayed” is shown, check the firewall access rules and log on the SonicWALL for
packets being dropped at the DMZ.

4. If login fails or other issues are observed after reaching the Outlook Web Access web page, check
firewall rules and log for packets being dropped on the LAN.

KBID 3542

Date Modified 1/9/2008

Date Created 10/16/2007

4 von 4 30.03.2011 23:43