Skip to main content
A
Anonymous_User
Contributor
October 20, 2008
Question

Fortigate 50B and RPC over HTTP

  • October 20, 2008
  • 18 replies
  • 7823 views
Hi, I am using the Fortigate 50B before my Small Business Server 2003. Now I want to use Outlook for my agent outside of the company. The Exchange server is configered correctly, but the agents are not able to login outside the company to Exchange over Internet. What I did in the Fortigate 50B: 1. I added The 593 Port as Virtual IP and mapped it to the Exchange server 2. I added a policy that uses this virtual IP to forward packages from wan1-->internal1. These two steps worked fine to forward the HTTP, HTTPS and Remote control port to the server, but the RPC over HTTP is not working. Has anyone an Idea? Maybe there is a problem that the Firewall is checking the certificate and /or blocks it.

    18 replies

    g3rman
    g3rman
    New Member
    October 20, 2008
    Hi iceprice, I assume that they can connect fine to the RPC service. However the RPC service then assigns a random port number for the client to connect to. Since you don' t know what that port number is going to be you cannot open a port address translation for this. If I remember correctly though there is a way to configure Exchange to always use the same ports so you can then add PATs for those two ports. Check this article for more information: http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp
    laf
    laf
    New Member
    October 20, 2008
    My idea for now: make a VIP without port forward to the exchange IP server, then sniff for that IP and see the ports used.
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2008
    THX for answers, I will try to tests them soon. I also tried to forward the PPTP port 1723 (VIP and in Profile) to make a standard VPN connection to the SBS, but this is also not working. In my old NAT router I only forwarded the 1723 for PPTE with GRE and ESP and the port 3389 and this worked fine. Maybe these information are helpful to find what' s going wrong.
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2008
    1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDS --> I do not have this key on my sbs so i see no orts.... 2. I have removed all port mappings to my server and tried to add a VIP with the mapping to the server without a port forwarding. I also added this VIP to the policy " wan1" --> " internal" . I thought that this will forward every request from wan1 to the server, but nothing is going through now...
    rwpatterson
    rwpatterson
    New Member
    October 20, 2008
    ORIGINAL: iceprice I have removed all port mappings to my server and tried to add a VIP with the mapping to the server without a port forwarding. I also added this VIP to the policy " wan1" --> " internal" . I thought that this will forward every request from wan1 to the server, but nothing is going through now...
    Service set to ' Any' ?
    Maik
    Maik
    New Member
    October 20, 2008
    Hi For RPC over HTTP, a Portforwarding of 443 should be sufficient. -> It tunnels RPC throught your SSL connection In Outlook (2003?) Could you post the Exchange Proxy settings in your Outlook profile? Do you use Basic Authentication or NTLM (default setting is NTLM which probably does not work. set it to Basic)
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2008
    @rwpatterson Yes, please see attached screenshots http://www.stamm-computer.de/firewall @Maik Yes 443 also forwarded Using Basic athentification With the old router everthing is working fine. I tried to forward same ports.
    g3rman
    g3rman
    New Member
    October 20, 2008
    Hallo iceprice, Du hast bei External IP Address/Range nichts angegeben. Das muss die externe IP sein die Du benutzt. Z.B. 100.100.100.1 external, 192.168.10.100 Internal.
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2008
    Hallo g3rman, danke für deine Antwort, allerdings verstehe ich nicht ganz was da hin soll, denn der Client der Anfragt hat ja immer eine andere IP.
    g3rman
    g3rman
    New Member
    October 20, 2008
    Z.B: Firewall externe IP: 50.50.50.1 Firewall interne IP: 192.168.10.1 Server IP: 192.168.10.100 Name: test External interface: wan1 Type: Static NAT External IP Address/Range: 50.50.50.2 Mapped IP Address/Range: 192.168.10.100 D.H. die externe IP Adresse 50.50.50.2 wird dann auf 192.168.10.100 übersetzt. Die " External IP" hat nur mit der Firewall zu tun, nichts mit dem Client. Macht das so Sinn?
    A
    Anonymous_UserAuthor
    Contributor
    October 20, 2008
    OK, ich habe testweise die extenre (internet) IP eingetragen, die sich bei uns alle 24 Std. ändert. Danach kam ich wieder mit anderen Diensten auf den Server, allerding immer noch nicht mit Outlook. Ich dachte auch 0.0.0.0 wäre eine art wildcard für alle eingehenden IPs auf wan1. Kann es evtl. an dem Zertifikat liegen, kann es sein, dass die firewall das prüft udn evtl. nicht durch lässt?
    Show more replies
    Terms & ConditionsAccessibility statement