Watchguard M270 Exchange Outlook Anywhere without SNAT
Hello Community,
i have a question about a Watchguard M270 with Total Security. Since i installed it i can use Outlook Anywhere with a SNAT Rule to the Exchange System. I want to hardening it a bit. Is it possible to use Outlook anywhere from it without this special SNAT Rule?
I do not want to open that to everyone. Does anyone have a better solution for that topic as the SNAT Rule? People should go to the portal and pre authentificate there, like it is now working for OWA, afterwards they should also be allowed to use outlook anywhere, but not before.
Thanks for any idea!
Mikro
0
Sign In to comment.
Comments
I see what you are saying, having a direct SNAT via HTTP to your Exchange Server seems a bit insecure.
A good majority of my IPS detections are trying to exploit this very opening.
The whole purpose of Outlook Anywhere is for the Outlook client to be able to access email without having to utilize a VPN connection. Basically wrapping RPC's in an HTTP traffic layer so traffic can get through the firewall.
One could always disable Outlook Anywhere and require users to VPN for client access or OWA for web based access. Not certain they would like that though. Maybe Microsoft needs to update their communication protocols for on prem Exchange. Doubt that will ever happen as they want everyone on O365.
Great question. Wished I had more insight.
It's usually something simple.
Client VPN, WG auth applet authentication first, or the WG Access Portal
About the Access Portal
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/access portal/access_portal_about.html
Hello Bruce, have you ever setup that? Can you give me a hint. I have created it. But Outlook fails to connect after login into the portal?
Thanks, Mirko
Have you reviewed this?
Reverse Proxy for the Access Portal
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/access portal/access_portal_reverse-proxy.html
Yes, i read it. Is it working for you without the SNAT Rule ?
Yes, i read it. Is it working for you without the SNAT Rule ?
The point is that the user authenticates to the portal, thus removing general access to an app via a general SNAT based policy - your initial goal.
If you can't get this working, consider opening a support case on it or start a new post asking for help on getting this working for you.
I do not have a firewall model which supports the Access Portal, so I have no direct experience using it.