publishing OWA, ActiveSync, Outlook Anywhere and AutoDiscover.

How does Fortiweb handle Outlook anywhere / RPC connections over HTTPS - I know some WAF's have issues with file attachments through email over rpc/https - anyone using Fortiweb for this successfully that can share feedback?

I'm very interested to this thread. 

I've just tried a migration and I got a loooot of trouble with outlook activesync and different android devices. 

anyone can help here? 

thanks

I'm retrying everything in my lab and doing a poc. 

I will get back with a new thread in case. 

thanks

I'm in the same boat! 

Exchange 2013 Single server setup

I've had Support setup the VIP, setup the profile and now when I go to the URL I get a HTTP 400 error i'll have support help later today will post anything they do. Really wish there was a guide, because not sure how you point the exchange server to it once its in place.

Hi guys.. there is a guide! I've asked to support and they gave me this not-public doc. There you go:

https://onedrive.live.com...&ithint=file%2cpdf

Despite the title looks great it does not show much new things. 

I tested this thing yesterday and the problem are two: 

1-FGT does not do http redirect.. so if you do https://mail.yourdomain.com it does not redirect to https://mail.yourdomain.com/owa for example (TMG does it)

2- TMG can accept authentication without the domain setup. So mobile devices like android / ios are already configured w/o domain. Once you migrate from TMG to FGT all those devices won't work anymore! They will say the password is wrong. Of course is not the password but it's the username. FGT claims the format DOMAIN\user instead of "user" 

This is because TMG authenticate users before talking to Exchange (something that FGT can't do). 

Hi all

if you like to go for TMG replacement meaning the feature you used on the TMG you would like to implement on the FGT based on SSL Offloading for OWA and ActiveSync there is a document which tells you exactly step by step how to configure the stuff on the FGT. The document is called "How_to_configure_TMG_features_on_FGT.pdf". What is from my point of view important to know is that there was a change within the sig on Fortinet site which means normally you use within the application profile ActiveSync and SSL and/or SSLv2. At 13. May 2015 even it was running since month this configuration stopped working for IOS device only (customer feedback all at the same time). All customers are working with IOS 8.3 and no other device is impacted like android etc. Of course the virtual server can be troubleshooted with diag debug application vs -1 but the situation was indicating that something changed for the sig used. Because of this I was open a ticket and after some discussion I received the answer to ADD the sig HTTPS.BROWSER to the ActiveSync and SSL/SSLv2 because the SSL sig does not support anymore some stuff which means SSL sig part was moved to HTTPS.BROWSER. This sig is available over 5.2 by standard and also if you use 5.0 and even you would not see it you can download the IPS db manually and import it over the FortiGuard FGT site. DB can be found for 5.0 at link:

'5.00_000_6.648' available on https://support.fortinet.com > Download > FortiGuard Service Updates > V5.00

From this what I received by TAC the document from Fortinet "How_to_configure_TMG_features_on_FGT.pdf" is not anymore up to date. On my site I have forward the information to test on customer site but so far NO FEEDBACK yet from this point of view this what is written here is NOT YET confirmed. What I also received from TAC is following:

HTTPS.BROWSER => HTTP sessions with packet structure like GET/POST /xxxx/yyyy/ HTTP/1.1 User-Agent: xxxxx Host: xxxx ...... over SSL. SSL => Any non HTTP session, e.g. a proprietary protocol, over SSL. With the new HTTPS.BROWSER signature, most of the traffic is going to fall under it instead of SSL.

This would confirm why it does not anymore work with ActivSync and SSL sig because in SSL sig NEW some part are missing and therfore HTTPS.BROWSER has to be added.

This for your info...will update as soon as I have from customer a feedback.

have fun

Andrea

Andrea, 

what about the https redirect and authentication with domain ? 

got issues there? 

Hi

no issue there only based on sig which means if you remove the both at the moment sig ActiveSync and/or SSL/SSLv2 all is working fine with IOS devices this confirms is sig based.

hope this helps

have fun

Andrea