Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Fortigate 50B and RPC over HTTP

Hi, I am using the Fortigate 50B before my Small Business Server 2003. Now I want to use Outlook for my agent outside of the company. The Exchange server is configered correctly, but the agents are not able to login outside the company to Exchange over Internet. What I did in the Fortigate 50B: 1. I added The 593 Port as Virtual IP and mapped it to the Exchange server 2. I added a policy that uses this virtual IP to forward packages from wan1-->internal1. These two steps worked fine to forward the HTTP, HTTPS and Remote control port to the server, but the RPC over HTTP is not working. Has anyone an Idea? Maybe there is a problem that the Firewall is checking the certificate and /or blocks it.
20 REPLIES 20
g3rman
New Contributor

Hi iceprice, I assume that they can connect fine to the RPC service. However the RPC service then assigns a random port number for the client to connect to. Since you don' t know what that port number is going to be you cannot open a port address translation for this. If I remember correctly though there is a way to configure Exchange to always use the same ports so you can then add PATs for those two ports. Check this article for more information: http://www.brienposey.com/kb/connecting_to_Exchange_through_a_firewall.asp
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
laf
New Contributor II

My idea for now: make a VIP without port forward to the exchange IP server, then sniff for that IP and see the ports used.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Not applicable

THX for answers, I will try to tests them soon. I also tried to forward the PPTP port 1723 (VIP and in Profile) to make a standard VPN connection to the SBS, but this is also not working. In my old NAT router I only forwarded the 1723 for PPTE with GRE and ESP and the port 3389 and this worked fine. Maybe these information are helpful to find what' s going wrong.
Not applicable

1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDS --> I do not have this key on my sbs so i see no orts.... 2. I have removed all port mappings to my server and tried to add a VIP with the mapping to the server without a port forwarding. I also added this VIP to the policy " wan1" --> " internal" . I thought that this will forward every request from wan1 to the server, but nothing is going through now...
rwpatterson
Valued Contributor III

ORIGINAL: iceprice I have removed all port mappings to my server and tried to add a VIP with the mapping to the server without a port forwarding. I also added this VIP to the policy " wan1" --> " internal" . I thought that this will forward every request from wan1 to the server, but nothing is going through now...
Service set to ' Any' ?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Maik
New Contributor II

Hi For RPC over HTTP, a Portforwarding of 443 should be sufficient. -> It tunnels RPC throught your SSL connection In Outlook (2003?) Could you post the Exchange Proxy settings in your Outlook profile? Do you use Basic Authentication or NTLM (default setting is NTLM which probably does not work. set it to Basic)
Not applicable

@rwpatterson Yes, please see attached screenshots http://www.stamm-computer.de/firewall @Maik Yes 443 also forwarded Using Basic athentification With the old router everthing is working fine. I tried to forward same ports.
g3rman
New Contributor

Hallo iceprice, Du hast bei External IP Address/Range nichts angegeben. Das muss die externe IP sein die Du benutzt. Z.B. 100.100.100.1 external, 192.168.10.100 Internal.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
Not applicable

Hallo g3rman, danke für deine Antwort, allerdings verstehe ich nicht ganz was da hin soll, denn der Client der Anfragt hat ja immer eine andere IP.
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors